Tag Archives: rights

DDoS is Back; 3 Banks Attacked

A week after the self-proclaimed hacktivist group Izz ad-Din al-Qassam Cyber Fighters announced plans to launch a fourth phase of attacks against U.S. banks it’s still not clear whether the group has resumed its distributed-denial-of-service activity. DDoS attacks appear to have targeted three banks July 24 through July 27, according to Keynote, an online and mobile cloud testing and traffic monitoring provider, and other sources. But security vendors that track attacks linked to al-Qassam’s botnet, known as Brobot, say they’re uncertain exactly who was behind those attacks. While some attack evidence suggested a link to Brobot, nothing was definitive. The online banking sites of JPMorgan Chase, U.S. Bancorp and Regions Financial Corp. all experienced intermittent outages last week, Keynote says, and the outages appear to be DDoS-related. All three banking institutions have previously been targeted by al-Qassam. Those three banks all declined to comment about the outages, although Chase did acknowledge intermittent online issues July 24 on Twitter , in response to customer complaints. Detecting those online glitches, however, took some digging, says Aaron Rudger, Keynote’s Web performance marketing manager. The online traffic patterns were different from what Keynote has recorded in the past for activity believed to be related to DDoS, he says. “Normally with DDoS attacks, we see a ramping decline in a site’s performance as the load against it builds,” Rudger says. “Eventually, the site falls over when overwhelmed.” But in all three online outages tracked last week, that pattern was not present, he says. “It seems they were hit very hard, very fast – so fast, our agents did not observe the typical ‘ramping’ effect of an attack,” he says. The pattern divergence could signal a different type of DDoS approach, or merely be a byproduct of the steps the affected banking institutions were taking to mitigate their outages, or a combination of the two, he says. And while all three banks suffered slightly different types of attacks – Chase hit by DNS lookup errors, U.S. Bank hit by TCP connection errors and Regions hit by traffic that allowed access to its homepage but kept eBanking inaccessible – Rudger says they all were, at least in part, linked to external issues. Bot Activity The outages linked to Chase began during the morning of July 24, stopped and then picked back up in the afternoon, says one DDoS mitigation expert, who asked to remain anonymous. The first wave of attacks had no commands linked to Brobot, but the second wave did, the source says. The outages at U.S. Bank, which began during the very early morning hours of July 24, also stopped for a while and picked back up in the afternoon, Rudger says. And the outages at Regions showed similar patterns, though the outages spanned two days and eBanking remained inaccessible throughout the duration, he adds. John LaCour, CEO of cybersecurity and intelligence firm PhishLabs, declined to comment about any particular banks affected by DDoS activity, but he confirmed that his company had tracked new attacks. He did not say, however, if those attacks were linked to Brobot. Tracking Attacks Several other DDoS mitigation providers would not comment about last week’s three apparent DDoS attacks. But the anonymous source says no one is certain whether al-Qassam is connected to those attacks. After al-Qassam’s announcement that it planned to launch a fourth phase of attacks, copycats may have decided to take advantage, launching attacks of their own hoping to be mistaken as al-Qassam, the source says. The group hasn’t attacked since the first week of May, when it announced it was halting its DDoS strikes in honor of Anonymous’ Operation USA , bringing an end to its third phase of attacks, which began March 5 (see New Wave of DDoS Attacks Launched ). al-Qassam has repeatedly stated it’s waging its attacks against U.S. banking institutions in protest of a Youtube movie trailer deemed offensive to Muslims. “Other DDoS actors have started their hostilities, trying to blame (or at least be confused with) them on QCF,” the source says. “We saw similar activity from the middle of Phase 2 onward, where fraudsters were attacking known [Operation] Ababil targets in order to straphang on the chaos that QCF was bringing.” Several security vendors tracking the group’s Brobot say that the botnet is growing. “The huge number of servers controlled by the attackers shows that this campaign was fully planned, intentionally organized and deliberate,” says Frank Ip, vice president of U.S. operations for NSFOCUS, which tracks DDoS activity. “This leads us to wonder whether the attack campaign is supported or backed by a country or financially well-off organization behind the scenes. We expect that similar DDoS attack events will occur in the wake of the recent activity, employing more diversified and varying methods.” Source: http://www.govinfosecurity.com/ddos-back-3-banks-attacked-a-5951/p-2

Visit site:
DDoS is Back; 3 Banks Attacked

Regions Bank Hit with New DDoS Attack

Regions Bank was the victim of cyber attackers that shuttered the bank’s website and interrupted its customers’ debit cards, reported AL.com. The bank’s website was hit Friday with a distributed-denial-of-service attack. Customers may have also not been able to use their debit cards at ATMs and merchants, according to a statement released to the website. “Access to regions.com and online banking were disrupted intermittently today by a distributed denial of service (DDoS) attack,” a spokesman told AL.com on Friday. “Some customers may have also been unable to use their CheckCards at ATMs or at merchants. We apologize for the difficulties this has caused and are working to resolve the issues as quickly as possible.” The attack comes on the heels of recent threats by from the hactivist group Izz ad-Din al-Qassam Cyber Fighters. Since last September, al-Qassam has taken responsibility for a series of cyber assaults that have plagued some of the nation’s largest banks — shuttering the online banking operations of Wells Fargo, PNC and dozens of others. Regions Bank was among those hit in early October. The Regions outage and debit card issues that occurred Friday reportedly lasted for nearly two hours. Source: http://www.americanbanker.com/issues/178_145/regions-bank-hit-with-new-ddos-attack-1060942-1.html

Read more here:
Regions Bank Hit with New DDoS Attack

DDoS: Lessons From U.K. Attacks

While U.S. banking institutions brace for the next wave of distributed-denial-of-service attacks by Izz ad-Din al-Qassam, new cyberthreat research reminds us that no industry or global market is immune to DDoS. A new study from online security provider Neustar shows that DDoS attacks are up in the United Kingdom, just as they are in the U.S., and they’re targeting everything from e-commerce sites to government. It’s not just banking institutions that DDoS attackers want to take down – a truth we’ve been preaching for several months. But now, data proves it. Of the 381 U.K. organizations polled between May and June by Neustar, 22 percent said they suffered from some type of DDoS attack in 2012. By comparison, a survey of 704 North American organizations released in April 2012 showed that 35 percent had been targeted by DDoS within the last year. While the financial services sector has been the primary DDoS target in the U.S., telecommunications companies are the No. 1 target in the U.K., according to the Neustar survey, with 53 percent reporting attacks. Half of U.K. e-commerce companies and 43 percent of online retailers surveyed reported attacks. But only 17 percent of the U.K. financial-services organizations say they had been targeted, compared with 44 percent in the North American survey. The North American data is a bit out of date, so the percentage of financial institutions hit by DDoS is now probably even higher. And attacks aimed at U.K. organizations have been nowhere as fierce as those waged against U.S. banks since September 2012. More Attacks on Way Now that al-Qassam has just announced plans for a fourth phase of attacks, we’re all bracing for more strikes against U.S. banks (see DDoS: Attackers Announce Phase 4 ). But the new survey sends a clear message: No organization is safe from DDoS. “As in North America, U.K. companies face serious challenges as they decide on DDoS protection and attempt to mitigate losses,” Neustar writes in its survey study. “While many companies are hoping traditional defenses will suffice, given the frequency of attacks, their growing complexity and the impact when sites go dark, such hopes are badly misplaced.” U.K. organizations could learn quite a bit from the example U.S. banks have set. Experts have noted time and time again that European banks and others are not well-prepped for DDoS. Despite the fact that the attacks waged against U.S. banks have been among the largest the industry has ever seen, the percentage of U.S. organizations that experienced extended outages was much smaller than that of U.K. organizations, the surveys showed. The defenses U.S. banking institutions have put in place have set a new bar. We already knew that, but now Neustar’s survey results support it. According to Neustar, while online outages lasting about 24 hours affected about 37 percent of both North American and U.K. organizations surveyed, outages lasting more than a week affected 22 percent in the U.K. and only 13 percent in North America. Having a site down for more than a week is an embarrassment, and costly. Can you even imagine a major banking institution’s site being down that long? Banks in the U.S. are prepared for DDoS. But what about other organizations? Are non-banks getting ready for DDoS, or do they still see this as only a threat to banking institutions? What you think? Let us know in the comment section below. Source: http://www.bankinfosecurity.com/blogs/ddos-no-industry-safe-p-1524

Visit link:
DDoS: Lessons From U.K. Attacks

Network Solutions Recovers After DDoS Attack

Network Solutions said it’s fully mitigated a distributed denial of service (DDoS) attack that compromised some services last week, and that attack volumes against the company had returned to normal. “We experience DDoS attacks almost daily, but our automatic mitigation protocols usually handle the attacks without any impact to our customers,” said John Herbkersman, a spokesman for Network Solutions’ parent company, Web.com, via email. Network Solutions manages more than more than 6.6 million domains, provides hosting services, registers domain names and also sells SSL certificates, among other services. But Monday, some customers reported still experiencing domain name server (DNS) and website updating difficulties that dated to the start of the DDoS attacks. The company, however, disputed those claims. “Some customers may be experiencing issues, but they are not related to last week’s DDoS attack,” said Herbkersman. The DDoS attacks began last week, with Network Solutions at first reporting that “some Network Solutions hosting customers are reporting latency issues,” according to a “notice to customers who are experiencing hosting issues” posted to the company’s website on Tuesday, July 16. “Our technology team is aware of the problem, and they’re working to resolve it as quickly as possible. Thank you for your patience,” it said. As the week continued, the company posted updates via Twitter and to its Facebook page. By Wednesday, it said that the outages were due to a DDoS attack “that is impacting our customers as well as the Network Solutions site.” It said that the company’s technology staff were “working to mitigate the situation.” Later on Wednesday the company declared via Twitter: “The recent DDOS attack affecting customers has now been mitigated. Customer websites should be resolving normally. Thanks for your patience.” The Network Solutions website wasn’t available or updateable for the duration of the attacks. But that wasn’t apparent to all customers, who might not have turned to Facebook and Twitter seeking updates about the company’s service availability. One InformationWeek reader, who emailed Friday, accused Network Solutions of being less than forthcoming about the fact that the outages were being caused by a DDoS attack, “which they acknowledged only when calling them,” after he found only the “notice to customers who are experiencing hosting issues” post on the company’s site. “They have been trying to bury it,” he alleged. “Some sites were down for the entire day.” Herbkersman brushed off the criticism. “In addition to Facebook, we communicated via the Network Solutions’ website and via Twitter,” he said. “We also responded directly to customers who called our customer service team and those who contacted us via social media channels.” Friday, the company did publish a fuller accounting of the outage to its website. “Earlier this week, Network Solutions experienced a distributed denial of service (DDoS) attack on its servers that affected our customers. The Network Solutions technology team quickly identified the issue and implemented measures to mitigate the attack,” read a statement posted to the company’s site and cross-referenced on its Facebook page. “We apologize to our customers who were impacted.” “Are we getting refunded some money because of your 99.99% uptime guarantee?” responded one member via Facebook. “Feel free to call our support team and they will be happy to discuss,” came a reply from Network Solutions. Customers might have had to contend with more than just the DDoS attack. A Tuesday Facebook post — since deleted, which the company said it made to help direct customers to more recent information about the DDoS-driven outages — drew comments from customers reporting DNS issues. “There were multiple reports on the July 16, 2013 Facebook thread that appear to indicate customer DNS records were corrupted before the DDoS induced outage,” Craig Williams, a technical leader in the Cisco Systems threat research group, said in a blog post. The one-two punch of domain name resolution difficulties and a DDoS attack could have left numerous sites inaccessible not just during the attack, but in subsequent days, as the company attempted to identify the extent of the damage and make repairs in subsequent days. Last week’s DDoS attack was the second such attack for Network Solutions customers in less than a month. “In [the] previous outage, domain name servers were redirected away from their proper IP addresses,” said Williams. In that case, however, at least some of the DNS issues appeared to be “a result of a server misconfiguration while Network Solutions was attempting to mitigate a DDoS attack.” Herbkersman, the Web.com spokesman, said last week’s outages were entirely driven by the DDoS attacks, rather than the company’s response to those attacks. Source: http://www.informationweek.com/security/attacks/network-solutions-recovers-after-ddos-at/240158685

Read the original:
Network Solutions Recovers After DDoS Attack

Four steps for denying DDoS attacks

Financial institutions have been battling waves of large distributed denial of service attacks since early 2012. Many of these attacks have been the work of a group called the Qassam Cyber Fighters, which until recently posted weekly updates on Pastebin about the reasons behind its attacks, and summarising Operation Ababil, its DDoS campaign, writes Terry Greer-King, UK managing director, Check Point ( right ). Other hacktivist groups have launched their own DDoS attacks and targeted financial services institutions with focused attacks on web forms and content. There have also been reports of nation-state organised cyber assaults on banks and government agencies, along with complex, multi-vector efforts that have combined DDoS attacks with online account tampering and fraud. These incidents against all sizes of banks have shown that there are many kinds of DDoS attacks, including traditional SYN and DNS floods, as well as DNS amplification, application layer and content targeted methods. Denial of Service (DoS) activities that have targeted SSL encrypted webpage resources and content are an additional challenge. In some instances, the adversaries have moved to a blended form of attack that incorporates harder-to-stop application layer methods alongside ‘cheap’, high-volume attacks that can be filtered and blocked through simpler means. To cope with this level of malicious activity, CIOs, CISOs, and their teams need to have a plan in place, and consider a set of defensive tools that combine on-premise technologies and cloud-based scrubbing services. They should also begin to explore and ultimately implement intelligence gathering and distribution methodologies that help lead to a comprehensive DoS mitigation strategy. Here are four steps to help in devising that strategy Have a scrubbing service or ‘cleaning provider’ to handle large volumetric attacks : the volumes associated with DDoS activity have reached a level where 80 Gbps of DDoS traffic is a normal event. There are even reports of attacks in the range of 300 Gbps. Few, if any organisations can maintain sufficient bandwidth to cope with attacks of this size. When faced with DDoS incidents this large, the first thing an organisation needs to consider is the option to route their Internet traffic through a dedicated cloud-based scrubbing provider that can remove malicious packets from the stream. These providers are the first line of defense for large volumetric attacks, as they have the necessary tools and bandwidth to clean network traffic so that DDoS packets are stopped in the cloud and regular business as usual traffic is allowed. Use a dedicated DDoS mitigation appliance to isolate and remediate attacks: the complexity of DoS attacks and the tendency to combine volumetric and application methods require a combination of mitigation methods. The most effective way to cope with the application and “low and slow” elements of these multi-vector attacks is to use an on-premise dedicated appliance. Firewalls and intrusion prevention systems are critical to the mitigation effort, and DDoS security devices provide an additional layer of defense through specialised technologies that identify and block advanced DoS activity in real-time. Administrators can also configure their on-premise solutions to communicate with cloud scrubbing service providers to enable automated route away during attack. Tune firewalls to handle large connection rates: t he firewall will also be an important piece of networking equipment during DDoS attacks. Administrators should adjust their firewall settings in order to recognise and handle volumetric and application-layer attacks. Depending on the capabilities of the firewall, protections can also be activated to block DDoS packets and improve firewall performance while under attack. Develop a strategy to protect applications from DDoS attacks: a s well as using security solutions, administrators should also consider tuning their web servers, and modifying their load balancing and content delivery strategies to ensure the best possible uptime. This should also include safeguards against multiple login attempts. Machine-led, automated activities can also be blocked by including web pages with offer details, such as opportunities for interest rate reduction or information on new products, so that users much click on “accept” or “no thanks” buttons in order to continue deeper into website content. Content analysis can also help – simple steps such as ensuring there are no large PDF files hosted on high-value servers can make a difference. The above methods are crucial to any DDoS mitigation strategy. Organisations must also reach out to service providers and ISPs and work with them to identify novel mitigation techniques. After all, DDoS attacks use the same Internet routes as bank customers, and ISPs carry both forms of traffic. Of increasing importance is the need to investigate and implement intelligence gathering and distribution strategies, both within company networks and across other companies operating in financial services. Getting more information about who the attacking agent is, the motivations behind the attack, and methods used, helps administrators anticipate and proactively architect around those attacks. Attack profile information can range from the protocols used in the attack (SYN, DNS, HTTP), the sources of attack packets, the command and control networks, and the times of day during which attacks began and ended. While valuable in mitigating attacks, there is no easy way to communicate this data, and regulatory hurdles make it even more difficult to share attack information. Right now, information-sharing consists of friends talking to friends. Information sharing needs to evolve into an automated system where multiple organisations can log in to a solution and see correlated and raw log data that provide clues about current and older attacks. Such systems could also be used to share attack intelligence and distribute protections. An industry information sharing capability would help elevate financial services companies’ abilities to cope with DDoS activity and bring the industry as a whole to a new level of preparedness. Source: http://www.bankingtech.com/154272/four-steps-for-denying-ddos-attacks/

Excerpt from:
Four steps for denying DDoS attacks

Many online newspapers become DDoS victims

At 4.11 pm of July 7, when accessing Dan Tri newspaper at dantri.com.vn, readers would see the words “Ban hay thuc hien phep tinh de tiep tuc su dung bao Dan Tri” showing that the access was denied. Dan Tri was just one of the many online newspapers hacked in recent days under a large scale DDoS offensive of the hackers. The hacking made a lot of newspapers inaccessible. Some readers still could access websites, but they had to try many times and wait with patience. Internet security experts have commented that the attack might have been well prepared for a long time, because it was conducted in a very methodical way. HVAOnline, a security forum, reported that since July 4, Thanh Nien, Tuoi tre, Dan Tri, VietNamNet, Kenh 14 have been the victims of the DDoS attacks, noting that the number of hacked online newspapers is on the rise. It is estimated that each of the newspapers incur the DDoS attack capacity of 50-70 Mbps, while the capacity was up to 1.3 Gbps for some newspapers. To date, some newspapers have fixed the problems, but the access remains unstable. According to Vo Do Thang, Director of Athena, an Internet security training center in HCM City, the current attack power would be unbearable to the small online newspapers. As such, the hacking would cause serious consequences, especially if it lasts for a long time. The experts said hackers purposely attacked the server of VDC 2 (the Vietnam Data communication Company) where the servers of many online newspapers are located. As a result, not only the VDC 2’s server, but the newspapers’ servers also suffered. HVAOnline said the forum itself and many other forums, information portals in Vietnam also incurred many DDoS attacks, but at weaker intensity. In fact, experts said the attacks began in June 2013 already at low intensity, which could be the preparation for the “general offensive” in July. They believe that the hackers may belong to a big and powerful organization to be able to mobilize such large botnets and zombies for the large scale attack. The hackers reportedly timed their attacks in their way. After finishing one attack aiming to one goal, they began the attack to another goal. After that, they unexpectedly returned and attacked the first aiming point. This way of hacking might make readers and the newspapers’ administrators misunderstand that the newspapers got troubles, while they did not think of a DDoS attack. Buu Dien newspaper on July 11 quoted the Director of an Internet security firm as saying that the firm, after analyzing the attack, found out that the attack was originated from an IP in Vietnam. BKAV’s Nguyen Minh Duc said two days ago that BKAV has not received any request for help from the hacked newspapers. A Symantec’s report in 2011 said that Vietnam has become the favorite space of the world’s hackers, and that it is the biggest botnet in the world. One of the reasons behind this is that Vietnamese don’t install anti-virus software on their computers, and they have the habit of installing cracked software pieces, or downloading some software products from unreliable websites. Source: http://english.vietnamnet.vn/fms/science-it/79186/many-online-newspapers-become-ddos-victims.html

See more here:
Many online newspapers become DDoS victims

Staying Informed About DDoS Threats

Distributed-denial-of-service attacks have plagued U.S. banks since last September. But DDoS attacks pose a persistent, genuine threat to other sectors as well. Any organization with an online presence is at risk. Successful DDoS attacks can take a website offline, damaging brand image and chipping away at consumer trust. But they also can do much more. In some cases, these attacks can be used to mask fraud by distracting security and IT departments while banking accounts or confidential files are simultaneously being taken over. To provide insights on the latest DDoS threats – and effective mitigation strategies – Information Security Media Group has launched a DDoS Resource Center . The resource center, sponsored by online security firms Akamai, Fortinet, Neustar, Radware and VeriSign, includes timely interviews, in-depth features, news stories and blogs that offer insights about emerging botnets and attack techniques from those who are analyzing and battling DDoS on the frontlines. The resource center also offers expert insights on practical steps for minimizing the impact of DDoS attacks. By visiting the resource center, you’ll get the latest information on the different types of DDoS attacks, such as DNS reflection and application layer attacks, as well as the attacks’ possible links to fraud . You’ll learn about DDoS protections and mitigation services , notification and response strategies, and DDoS detection measures. Here’s a sampling of the variety of content our resource center offers: An interview with ex-FBI investigator Shawn Henry , who shares insights about cross-border and cross-industry collaboration that’s taking place behind the scenes to strengthen DDoS and cybersecurity knowledge. An analysis of a new type of DDoS strike that targeted two U.S. banks for what some say could have been a test for more attacks to come. A blog about how the botnet, known as Brobot, that’s been used in DDoS attacks against U.S. banks is being retooled to defeat common mitigation practices. And an interview with former federal banking examiner Amy McHugh about why community banks are prime targets for DDoS strikes being waged as modes of distraction to veil account takeover attempts. The DDoS Resource Center also provides research, white papers and webinars, including a session on new defense strategies for DDoS , which includes insights from Rodney Joffee of DDoS-mitigation provider Neustar and Mike Wyffels, senior vice president and chief technology officer of multibank holding company QCR Holdings Inc. Source: http://www.bankinfosecurity.com/blogs/staying-informed-about-ddos-threats-p-1506

See the original article here:
Staying Informed About DDoS Threats

LinkedIn DDoS response botched

More than half of Linkedin’s members were knocked off the service for an extended period yesterday following a botched response to a DDOS by service provider Network Solutions. Users were redirected in error to India-based website confluence-networks.com which did not require Secure Sockets Layer connections meaning users’ cookies were sent in clear text. Initial media reports suggested the company’s DNS had been hijacked and user security potentially compromised as user’s cookies may have been visible as plain text during the outage. Linkedin subsequently confirmed on Twitter that the outage was due to human error not malice. “Yesterday’s issue was not malicious in any way It was an error by the company that manages our domain,” the statement said. In a post on its site the company claimed LinkedIn member data was not compromised. For protection against your eCommerce site click here . Source: http://www.scmagazine.com.au/News/347578,linkedin-ddos-response-botched.aspx

Possibly related DDoS attacks cause DNS hosting outages

Distributed denial-of-service (DDoS) attacks that could be related have in the past few days slammed the DNS servers of at least three providers of domain name management and DNS hosting services. DNSimple, easyDNS and TPP Wholesale all reported temporary DNS service outages and degradation on Monday, citing DDoS attacks as the reason. In some cases the attacks started a few days ago and are ongoing. TPP Wholesale, a subsidiary of Sydney-based Netregistry, one of Australia’s largest providers of Web hosting, domain management and other online services, alerted its customers through its website on Monday that eight of its DNS servers experienced “unscheduled service interruption.” TPP Wholesale experienced a series of DDoS attacks against its DNS name servers over the past several days, the Netregistry Group Security Team said in a blog post. The company managed to mitigate the DDoS attacks that caused service interruptions throughout Monday by taking “the drastic step” of rate-limiting DNS queries, the team said. Such aggressive filtering is prone to false positives and might result in some customers being denied DNS service. “In the next few days we will continue to whitelist such false positives as we discover them,” the team said. Second wave EasyDNS, a DNS hosting provider based in Toronto, also reported DNS service disruptions caused by a DDoS attack on Monday. “This looks like a larger version of a smaller DDoS yesterday which was possibly a test run,” the company’s CEO Mark Jeftovic said Monday in a blog post. “This DDoS attack is different from our previous ones in that it looks as if the target is us, easyDNS, not one of our clients.” Jeftovic said that it was difficult to differentiate the real traffic from the DDoS traffic, but the company managed to partially mitigate the attack and also published workarounds for affected customers. “This is the ‘nightmare scenario’ for DNS providers, because it is not against a specific domain which we can isolate and mitigate, but it’s against easyDNS itself and it is fairly well constructed,” he said. Third victim Aetrion, based in Malabar, Florida, operates a DNS hosting service called DNSimple, which was also attacked on Monday. According to DNSimple founder Anthony Eden, the DDoS attack is ongoing, but the company managed to mitigate it. “Our authoritative name servers were used as an amplifier for an attack against a third-party network,” Eden said Tuesday via email. “The attacker essentially flooded us with ‘ANY’ queries for a variety of domains managed by our DNS service, with the intention of amplifying these small queries into significantly larger responses aimed at a specific network.” This attack technique is known as DNS reflection or DNS amplification. It involves sending queries with a spoofed source IP (Internet Protocol) address—usually the victim’s address—to DNS servers from a large number of computers in order to trigger long responses to be sent by those servers to victim’s IP address within a short time window. If enough computers and DNS servers are used, the resulting rogue DNS traffic will exhaust the victim’s available Internet bandwidth. The DNS reflection technique has been known for a long time. However, its recent use to launch DDoS attacks of unprecedented scale, like the one in March that targeted a spam-fighting organization called Spamhaus, has likely brought it renewed interest from attackers. The attack experienced by DNSimple on Monday was significantly larger in volume and duration than other attacks that hit the company’s name servers in the past, Eden said. He believes that the attack is related to the ones experienced by easyDNS and TPP Wholesale. “The pattern displayed on TPP Wholesale’s blog is similar to what we see, and we have been communicating with easyDNS and find similarities between the attacks.” EasyDNS and TPP Wholesale did not immediately respond to inquiries seeking more information about the recent attacks against their servers and confirmation that they were using DNS reflection techniques. Attack and abuse reports on the increase It’s possible that DNS servers operated by other companies were also affected by this attack, Eden said. “A DNS provider will have a significantly higher number of customers and thus the attacks get noticed much sooner because it affects a larger group of people,” he said. DNSimple’s authoritative name servers were used to amplify a DDoS attack directed at a server hosting company called Sharktech or one of its customers, Eden said. Sharktech has noticed a surge of abuse reports in the past 24 hours coming from ISPs and hosting companies complaining about DDoS attacks against their DNS servers that appear to originate from Sharktech, said Tim Timrawi, president and CEO of Sharktech, via email. Upon further investigation the company determined that these reports were actually the result of a DNS amplification attack against its own customers that abused the authoritative DNS servers of those companies, he said. Most of the affected DNS servers were secured properly and were being queried for domains they are responsible for, Timrawi said. “Unlike previous DNS Amplification Attacks in which the attacker used open recursive DNS servers, in this one, the attacker is collecting all the DNS servers they can find and sending MX (and other kind of queries) to them for their domain records with a spoofed source of the target host,” he said. The amplified DDoS attack targeting Sharktech customers was larger than 40Gbps, Timrawi said. “We are unaware of the reason behind the attacks,” he said. The abuse of authoritative name servers in DNS reflection attacks is not very common because attackers need to know the exact domain names that each abused server is responsible for, said Carlos Morales, vice president of sales engineering and operations at DDoS mitigation provider Arbor Networks. Obtaining this information is not very hard, but it does require additional work compared to abusing open DNS resolvers, and attackers usually prefer the easiest route to reach their goals, he said. Open DNS resolvers are recursive DNS servers that are configured to accept queries from any computers on the Internet. These act as relays between users and authoritative DNS servers; they receive queries for any domain name, find the authoritative name server responsible for it and relay the information obtained from that server back to the user. Meanwhile, authoritative name servers, like those operated by DNSimple, easyDNS and TPP Wholesale, will only respond to queries concerning the domain names they serve. Well-prepared attackers The extra work required to target such servers suggests that the attackers behind the recent attacks on these DNS hosting providers were well prepared and did their homework in advance, Morales said. One mitigation against this kind of attack is to configure the DNS server software to force all “ANY” queries sent over UDP (User Datagram Protocol) to be resent over TCP (Transmission Control Protocol) instead, Eden said. This can be done by sending a UDP response with the TC bit set and an empty answer section. A legitimate DNS client will retry over TCP, while a bogus client will get no benefit, he said. In the case of open resolvers, the problem can be mitigated by restricting which IP addresses are allowed to query them, said Morales. For example, an ISP operating a DNS resolver for its customers can restrict its use to only IP addresses from its network, he said. However, this kind of mitigation is not applicable to authoritative name servers because they are meant to be queried by anyone on the Internet who wants to get information about the specific domain names served by them, Morales said. The mitigation described by Eden is very good and is actually one that Arbor also uses to protect authoritative name servers, he said. Another mitigation is to enforce a query rate limit for source IP addresses, he said. Source: http://www.pcworld.com/article/2040766/possibly-related-ddos-attacks-cause-dns-hosting-outages.html

View original post here:
Possibly related DDoS attacks cause DNS hosting outages

Turkish gov’t websites hacked by Anonymous

A group of computer hackers known as Anonymous carried out early on Monday a series of cyberattacks on Turkish government websites in retaliation for violent police response to anti-government protests. Several Anonymous messages in its Twitter blog provide links to the sites, including those of President Turkish President Abdullah Gul and Turkey’s ruling Justice and Development Party, that have been denied public access. Hackers normally use distributed denial of service (DDoS) attacks to knock their targets offline. Turkey’s Hürriyet Daily News reported on Monday that some Turkish media websites have also been targeted by Anonymous for “for failing to adequately cover the events.” The planned demolition of Gezi Park in central Istanbul sparked mass rallies in the city on Saturday, prompting police to use tear gas and water cannons to disperse the protesters. Violent clashes between protesters and police continued in Istanbul and the capital, Ankara, on Sunday. The rally in Istanbul triggered more than 230 separate protests in 67 cities across the country, according to Sky News. Turkey’s Interior Minister Muammer Guler said on Sunday that more than 1,700 people had been arrested in the unrest nationwide, adding that 58 civilians and 115 security officers had been injured over several days of protests. The United States and the European Union and have already urged the Turkish government to exercise restraint, while Amnesty International has condemned the use of tear gas by Turkish police as “a breach of international human rights standards.” Anonymous declares Internet attacks in support of Turkish protests Anonymous vows to kick off a worldwide action which will “bring the Turkish government to its knees.” With #opTurkey, the hacktivist collective plans to “attack every Internet and communications asset of the Turkish government.” Anonymous claims to have taken down several websites across Turkey, targeting municipal governments in Mersin and Izmir as well the Gebze Institute of Technology. Source: http://www.turkishweekly.net/news/151067/turkish-gov-39-t-websites-hacked-by-anonymous.html

Continued here:
Turkish gov’t websites hacked by Anonymous