Tag Archives: stop ddos attacks

DDoS cyberattacks have skyrocketed this year. Just ask the New Zealand stock exchange

The New Zealand stock exchange (NZX) website has gone down again in what appears to be the latest disruption caused by cyber attackers. The NZX website has been targeted by repeated distributed denial of service (DDoS) attacks over the last week, beginning last Tuesday. Such attacks disrupt service by saturating the network with significant volumes of internet traffic, and have caused NZX to halt trading four days in a row. The latest outage comes less than an hour after NZX revealed it had contingency arrangements in place with the Financial Markets Authority should its website go down again. The arrangements, which come after NZX teamed up with cyber defence experts Akamai Technologies, are for the release of and access to market announcements that are intended to allow trading to continue. NZX chief executive Mark Peterson said he’d been advised by independent cyber specialists that the recent attacks are “among the largest, most well-resourced and sophisticated they have ever seen in New Zealand”. On Friday, the Government Communications Security Bureau (GCSB) was directed to help the NZX with the attacks amid reports a crime syndicate was demanding Bitcoin payments. In an appearance on The AM Show on Monday, Rush Digital founder Danu Abeysuriya told host Ryan Bridge the attackers can be difficult to track. “Whoever’s doing it has a lot of resources organised – so it could be a really cashed-up criminal gang, which is highly likely, or something more,” he said. “It’s highly likely that it’s a ransom-type attack.” Abeysuriya said technology company Garmin recently paid a ransom of about 10 million Euros following a cyber-attack. Source: https://www.newshub.co.nz/home/money/2020/08/nzx-website-goes-down-yet-again.html    

See more here:
DDoS cyberattacks have skyrocketed this year. Just ask the New Zealand stock exchange

RangeAmp DDoS attacks can take down websites and CDN servers

A team of Chinese academics has found a new way to abuse HTTP packets to amplify web traffic and bring down websites and content delivery networks (CDNs). Named RangeAmp, this new Denial-of-Service (DoS) technique exploits incorrect implementations of the HTTP “Range Requests” attribute. HTTP Range Requests are part of the HTTP standard and allow clients (usually browsers) to request only a specific portion (range) of a file from a server. The feature was created for pausing and resuming traffic in controlled (pause/resume actions) or uncontrolled (network congestion or disconnections) situations. The HTTP Range Requests standard has been under discussion at the Internet Engineering Task Force (IETF) for more than half a decade, but, due to its usefulness, has already been implemented by browsers, servers, and CDNs. Two RangeAmp attacks discovered Now, a team of Chinese academics says that attackers can use malformed HTTP Range Requests to amplify how web servers and CDN systems react when having to deal with a range request operation. The team says two different RangeAmp attacks exist. The first is called a RangeAmp Small Byte Range (SBR) attack. In this case [see (a) in the image below], the attacker sends a malformed HTTP range request to the CDN provider, which amplifies the traffic towards the destination server, eventually crashing the targeted site. The second is called a RangeAmp Overlapping Byte Ranges (OBR) attack. In this case [see b) in the image below], the attacker sends a malformed HTTP range request to a CDN provider, and in the case, the traffic is funneled through other CDN servers, the traffic is amplified inside the CDN networks, crashing CDN servers and rendering both the CDNs and many other destination sites inaccessible. Image: Weizhong et al. Academics said they tested RangeAmp attacks against 13 CDN providers and found that all were vulnerable to the RangeAmp SBR attack, and six were also vulnerable to the OBR variant when used in certain combinations. Researchers said the attacks were very dangerous and required a minimum of resources to carry out. Of the two, RangeAmp SBR attacks could amplify traffic the most. The research team found that attackers could use a RangeAmp SBR attack to inflate traffic from 724 to 43,330 times the original traffic. Image: Weizhong et al. RangeAmp OBR attacks were a little harder to carry out, as the six vulnerable CDNs needed to be in specific (master-surrogate) configurations, but when conditions were met, reserchers said OBR attacks could also be used to inflate traffic inside a CDN network with amplification factors of up to nearly 7,500 times the initial packet size. Image: Weizhong et al. Of the two, OBR attacks were considered more dangerous, as attackers could take down entire chunks of a CDN provider’s network, bringing down connectivity for thousands of websites at a time. CDN vendors notified seven months ago Academics said that for the past few months they have been silently contacting the affected CDN providers and disclosing the details of the RangeAmp attack. Of the 13 CDN providers, researchers said that 12 responded positively and either rolled out or said they planned to roll out updates to their HTTP Range Request implementation. The list includes Akamai, Alibaba Cloud, Azure, Cloudflare, CloudFront, CDNsun, CDN77, Fastly, G-Core Labs, Huawei Cloud, KeyCDN, and Tencent Cloud. “Unfortunately, although we have sent them emails several times and have tried to reach out to their customer services, StackPath did not provide any feedback,” the research team said. “In general, we have tried our best to responsibly report the vulnerabilities and provide mitigation solutions. The related CDN vendors have had nearly seven months to implement mitigation techniques before this paper was published.” Each CDN provider’s reply, along with technical details about the RangeAmp attacks, are available in the research team’s paper, entitled “CDN Backfired: Amplification Attacks Based on HTTP Range Requests,” available for download in PDF format from here. Source: https://www.zdnet.com/article/rangeamp-attacks-can-take-down-websites-and-cdn-servers/

See original article:
RangeAmp DDoS attacks can take down websites and CDN servers

NXNSAttack technique can be abused for large-scale DDoS attacks

New vulnerability in DNS server software can be leveraged for DDoS attacks with an 1620x amplification factor. A team of academics from Israel has disclosed today details about NXNSAttack, a vulnerability in DNS servers that can be abused to launch DDoS attacks of massive proportions. According to the research team, NXNSAttack impacts recursive DNS servers and the process of DNS delegation. Recursive DNS servers are DNS systems that pass DNS queries upstream in order to be resolved and converted from a domain name into an IP address. These conversions take place on authoritative DNS servers, the servers that contain a copy of the DNS record, and are authorized to resolve it. However, as a safety mechanism part of the DNS protocol, authoritative DNS servers can also “delegate” this operation to alternative DNS servers of their choosing. New NXNSAttack explained In a research paper published today, academics from the Tel Aviv University and The Interdisciplinary Center in Herzliya, Israel, said they found a way to abuse this delegation process for DDoS attacks. The NXNSAttack technique has different facets and variations, but the basic steps are detailed below: 1) An attacker sends a DNS query to a recursive DNS server. The request is for a domain like “attacker.com,” which is managed through an attacker-controlled authoritative DNS server. 2) Since the recursive DNS server is not authorized to resolve this domain, it forwards the operation to the attacker’s malicious authoritative DNS server. 3) The malicious DNS server replies to the recursive DNS server with a message that equates to “I’m delegating this DNS resolving operation to this large list of name servers.” The list contains thousands of subdomains for a victim website. 4) The recursive DNS server forwards the DNS query to all the subdomains on the list, creating a surge in traffic for the victim’s authoritative DNS server. Image: NIC.CZ NXNSAttack has a huge amplification factor The research team says that an attacker using NXNSAttack can amplify a simple DNS query from 2 to 1,620 times its initial size, creating a massive spike in traffic that can crash a victim’s DNS server. Once the DNS server goes down, this also prevents users from accessing the attacked website, as the site’s domain can’t be resolved anymore. The research team says the NXNSAttack packet amplification factor (PAF) depends on the DNS software running on a recursive DNS server; however, in most cases, the amplification factor is many times larger than other DDoS amplification (reflection) attacks, where the PAF is usually between lowly values of 2 and 10. This large PAF implies that NXNSAttack is one of the most dangerous DDoS attack vectors known to date, having the ability to launch debilitating attacks with only a few devices and automated DNS queries. Patches available for DNS software The Israeli researchers said they’ve been working for the past few months with the makers of DNS software, content delivery networks, and managed DNS providers to apply mitigations to DNS servers across the world. Impacted software includes the likes of ISC BIND (CVE-2020-8616), NLnet labs Unbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), and CZ.NIC Knot Resolver (CVE-2020-12667), but also commercial DNS services provided by companies like Cloudflare, Google, Amazon, Microsoft, Oracle (DYN), Verisign, IBM Quad9, and ICANN. Image: Shafir et al. Patches have been released today and over the previous weeks. They include mitigations that prevent attackers from abusing the DNS delegation process to flood other DNS servers. Server administrators who run their own DNS servers are advised to update DNS resolver software to the latest version. The research team’s work has been detailed in an academic paper entitled “ NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities ,” available for download in PDF format . Source: https://www.zdnet.com/article/nxnsattack-technique-can-be-abused-for-large-scale-ddos-attacks/

View the original here:
NXNSAttack technique can be abused for large-scale DDoS attacks

Czech Parliamentary Election Websites Hit by Cyberattacks

The Czech statistical office has reported DDoS (Distrubuted Denial of Service) attacks on websites related to the recent parliamentary elections during the vote count. A number of websites of the Czech statistical office (CZSO) have been subject to cyberattacks during the counting of votes in the Czech parliament’s lower house election, Petra Bacova, the CZSO spokeswoman, told Sputnik Sunday. “The websites related to the parliamentary elections — volby.cz and volbyhned.cz — have temporary failed to function due to DDoS attacks [Distributed Denial of Service] during the vote count on Saturday. These attacks have not affected the overall progress of the election,” Bacova said. The police along with the Czech National Cyber and Information Security Agency have already launched an investigation into the attacks. “Thanks to the rapid response, the attacks on the both aforementioned servers have been neutralized, while the work of the websites has been resumed,” Bacova said. The Czech Republic held an election to the lower house of the parliament on Friday-Saturday. The centrist ANO political party won the election, receiving 29.64 percent of votes. Czech President Milos Zeman stated that he was ready to appoint Andrej Babis, ANO’s leader, as Czech prime minister. Source: https://sputniknews.com/europe/201710231058456317-czech-election-hit-cyberattack/

Follow this link:
Czech Parliamentary Election Websites Hit by Cyberattacks

New Mirai-Like Malware Targets IoT Devices

Security researchers are warning about malware that’s been enslaving routers, webcams and DVRs across the world to create a giant botnet capable of disrupting the internet. The malware, called Reaper or IoTroop, isn’t the first to target poorly secured devices. But it’s doing so at an alarmingly fast rate, according to security firm Check Point, which noticed the malicious code last month. The malware has infected “hundreds of thousands” of devices, said Maya Horowitz, threat intelligence group manager at Check Point. Reaper brings up memories of malware known as Mirai, which formed its own giant botnet in 2016 and infected over 500,000 IoT devices, according to some estimates. It then began launching a massive distributed denial-of-service (DDoS) attack that disrupted internet access across the US. Reaper could be used to launch a similar attack, Check Point researchers said. The good news is the infected bots haven’t launched any DDoS campaigns. Instead, they’re still focused on enslaving new devices. Researchers at security firm Qihoo 360 also noticed the Reaper malware, and found evidence it was trying to infect at least 2 million vulnerable devices. Reaper even borrows some source code from Mirai, though it spreads itself differently, Qihoo said. Unlike Mirai, which relies on cracking the default password to gain access to the device, Reaper has been found targeting around a dozen different vulnerabilities found in products from D-Link, Netgear, Linksys, and others. All these vulnerabilities are publicly known, and at least some of the vendors have released security patches to fix them. But that hasn’t stopped the mysterious developer behind Reaper from exploiting the vulnerabilities. In many cases, IoT devices will remain unpatched because the security fixes aren’t easy to install. Who may have created the malware and what their motives are still isn’t known, but all the tools needed to make it are actually available online, Horowitz said. For instance, the source code to the Mirai malware was dumped on a hacking forum last year. In addition, data about the vulnerabilities Reaper targets can be found in security research posted online. “It’s so easy to be a threat actor when all these public exploits and malware can be just posted on GitHub,” she said. “It’s really easy to just rip the code, and combine, to create your own strong cyber weapon.” Unfortunately, little might be done to stop the Reaper malware. Security experts have all been warning that poorly secured IoT devices need to be patched, but clearly many haven’t. “This is another wakeup call” for manufacturers, Horowitz said. Source: https://www.pcmag.com/news/356926/new-mirai-like-malware-targets-iot-devices

Read the original post:
New Mirai-Like Malware Targets IoT Devices

Android malware on Google Play grows botnets, launches DDoS attacks

The Sockbot malware has made its way into at least eight Apps in the Google Play Store with the intent of adding devices to botnets and performing DDoS attacks. Symantec researchers said the malicious apps have each been downloaded between 600,000 and 2.6 million times respectively and has primarily targeted users in the United States although infections have been spotted in Russia, Ukraine, Brazil, and Germany, according to an Oct 18 blog post. One of the malicious apps poses as an app that will allow users to modify their Minecraft characters. The app uses a SOCKS proxy mechanism and is commanded to connect to an ad server and launch ad requests. “This highly flexible proxy topology could easily be extended to take advantage of a number of network-based vulnerabilities, and could potentially span security boundaries,” the post said. “In addition to enabling arbitrary network attacks, the large footprint of this infection could also be leveraged to mount a distributed denial of service (DDoS) attack.” Researchers contacted Google Play on Oct. 6 and the malicious apps have since been removed from the store. To prevent downloading similar malicious apps users should keep software updated, refrain from downloading apps from unfamiliar sites, only install apps from trusted sources, and pay close attention to the permissions requested by an app. Users should also install mobile security apps and make frequent backups of data. Source: https://www.scmagazine.com/sockbot-malware-adds-devices-to-botnets-executes-ddos-attacks/article/701189/

Visit site:
Android malware on Google Play grows botnets, launches DDoS attacks

What is cyber terrorism?

How is cyber terrorism defined and how likely is an attack? Everyone is familiar with what “terrorism” means, but when we stick the word “cyber” in front of it, things get a bit more nebulous. Whereas the effects of real-world terrorism are both obvious and destructive, those of cyber terrorism are often hidden to those who aren’t directly affected. Also, those effects are more likely to be disruptive than destructive, although this isn’t always the case. Cyber terrorism incidents One of the earliest examples of cyber terrorism is a 1996 attack on an ISP in Massachusetts. Cited by Edward Maggio of the New York Institute of Technology and the authors of Internet: A Historical Encyclopedia, Volume 2 , a hacker allegedly associated with the white supremacist movement in the US broke into his Massachusetts-based ISP after it prevented him from sending out a worldwide racist message under its name. The individual deleted some records and temporarily disabled the ISP’s services, leaving the threat “you have yet to see true electronic terrorism. This is a promise” While this is a clear example of a cyber-terrorist incident carried out by a malicious, politically motivated individual that caused both disruption and damage, other frequently listed examples fit less clearly into the category of “terrorism”. For example, while attacks that have taken out emergency services call centres or air-traffic control could be considered cyber terrorism, the motivation of the individuals is often unclear. If a person caused real-life disruption to these systems, but had no particular motivation other than mischief, would they be classed as a terrorist? Perhaps not. Similarly, cyber protests such as those that occurred in 1999 during the Kosovo against NATO’s bombing campaign in the country or website defacements and DDoS attacks are arguably online versions of traditional protests, rather than terrorism. Additionally, in the case of civil war, if one side commits a cyber attack against the other then it can be said to be more of an act of war – or cyber war – than one of cyber terror. Again, where there is a cold war between nations, associated cyber attacks could be thought of as sub-conflict level skirmishes. Indeed, the FBI defines cyber terrorism as “[any] premeditated, politically motivated attack against information, computer systems or computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents”. Under this definition, very few of the tens-of-thousands of cyber attacks carried out every year would count as cyber terrorism. The future of cyber terrorism As the number of connected devices increases, the likelihood of a more destructive cyber terrorist incident – something on a par with an attack in the physical world – becomes increasingly possible. The security industry is full of stories and proofs of concept about hacking medical devices, with two particularly famous demonstrations being given by New Zealander Barnaby Jack. This opens up the possibility for targeted assassinations or mass-scale killings carried out remotely and potentially across borders. Similarly, there are concerns self-driving vehicles could be turned into remote-controlled missiles and used in an attack, although the counter argument is that such vehicles will make the roads safer in the face of terrorists driving conventional vehicles into crowds. Another possible style of cyber terrorism is disruption of infrastructure in a way that could potentially endanger life. For example, in 2016 an unknown actor caused a disruption that saw two apartment buildings in Finland lost hot water and heating for a week in the dead of winter. In locations as cold as Finland, actions like this could cause illness and death if widespread and sustained. Nevertheless, the likelihood is most serious cyber attacks will be acts of cyber warfare, rather than cyber terrorism, as nation states have larger and more sophisticated resources at hand. Source: http://www.itpro.co.uk/security/29726/what-is-cyber-terrorism

See the original post:
What is cyber terrorism?

More than half of businesses fell victim to DDoS attacks in the past year, survey shows

CDNeworks research shows 54% of businesses were hit by distributed denial of service attacks in the last year, and many feel they are underinvesting in cyber defences. More than half of businesses (54%) have been victims of successful distributed denial of service (DDoS) attacks over the past 12 months, according to research from cloud security firm CDNetworks. The company surveyed 305 organisations in the UK, Germany, Austria and Switzerland about the technologies that protect them from cyber attacks. Some 83% of the respondents felt either confident or very confident about their cyber defences, but 44% felt they were currently underinvesting in anti-DDoS technologies. Chris Townsley, Emea director for CDNetworks, told Computer Weekly that this mix of opinions was strange. “Not only is there widespread complacency – the overwhelming confidence in DDoS protection, undermined by the high proportion of businesses suffering successful attacks – but there is also a significant number of businesses that are worried that they have not invested enough,” he said. “It is odd to see so much confidence alongside such doubt about whether enough is being done.” The survey also found that 64% of organisations said they would be investing more in such technology over the next year, and in terms of expectation of an attack, 79% rated the likelihood of an attack as between “likely” and “almost certain”. This attitude is reflected in the frequency of incidents, with 86% saying they had suffered a DDoS attack in the previous 12 months. The size of attacks is also growing. In the first half of 2015, the largest DDoS attack recorded was 21Gbps, but during the equivalent period in 2016, it was 58.8Gbps. Also, 31% of attacks in the first half of 2016 were 50Gbps or more, but there were no attacks of that size in the first half of 2015. Townsley added: “As the size of attacks increases, businesses need to look more at protection from the edge and not at the origin or datacentre. “As the size of traffic increases, so does the likelihood that the bandwidth of the origin server will be saturated, no matter what protection is in place to keep it up and functioning. “Also, with the frequency of attacks increasing, businesses should move to a mindset of ‘when’ and not ‘if’ an attack will occur.” When asked whether the number of successful attacks was due to businesses buying the wrong security products, Townsley said: “It could be that the type of protection was not suitable, or was suitable for some types of attack but not all. As the types of attack are changing all the time, products can become obsolete.” Source: http://www.computerweekly.com/news/450428288/More-than-half-of-businesses-fell-victim-to-DDoS-attacks-in-the-past-year-survey-shows

Read the original post:
More than half of businesses fell victim to DDoS attacks in the past year, survey shows

Dark Web Marketplaces Go Down In Reported Mass DDoS Attack

There seems to be some turbulence going on in the murky world of the dark web, with four of its major drug marketplaces unexpectedly going offline, reports said. The dark web is a section of the internet where people contact each other anonymously without the fear of being monitored. It is usually used by criminals to sell drugs, chemicals, weapons, child abuse images and even offer assassination services. Websites The Trade Route, Tochka, Wall Street Market and Dream Market, were down without any notification or clarification from the sites’ administrators. According to some users of such markets, this might either be a DDoS attack by a hacker or a large scale action by law enforcement authorities.                     However, there are more chances of the former happening than the latter. Some dark web users have also started complaining of botnet attacks.           Another farfetched theory is that this is scam by a bunch of drug dealers — taking off with the money of their clients while not providing them with the required merchandize. With no notification or clarification from the sites’ administrators, the exact reason for the sudden disappearance of such marketplaces remains unclear. However, a user going by the name Automoderator commented on a the subreddit /r/DarkNetMarketNoobs that the WallStreetMarket is not listed currently, as it is facing “very serious issues” and warned others to avoid it all costs. Some other users on the subreddit say that the Dream Market has been working fine on all its mirrors, but, however its main site is down. At the time of writing, the marketplaces were still down, according to dark web marketplace tracker deepdotweb. Many sites on the dark web are also run by law enforcement — the Australian Police ran one of the world’s biggest child porn sites on the dark web between October 2016 and September 2017, called Child’s Play, in an effort to nab pedophiles. The police grabbed the administrator access from two cyber criminals — Benjamin Faulkner and Patrick Falte and started administering the sites. Police even posted more child porn on the site in an effort to convince the viewers that the site had not been taken over by the authorities. By the time they shut down the site, police were able to nab more than 90 pedophiles in Australia and 900 across the world. In case, the marketplaces were being taken over by law enforcement to nab drug traffickers and child porn purveyors, it might be a different case. However the development has many dark web users in a state of paranoia and many users have posted on Reddit reminding other users of such busts. Such attacks on dark web markets in the past have usually begun with large-scale DDoS attacks. In July, a massive trans-continental sting saw two of the dark web’s biggest sites at the time, AlphaBay and Hansa, being taken down. Law enforcement agencies claimed they were able to collect incriminating information on hundreds of buyers and vendors, going as far as threatening to prosecute them. Source: http://www.ibtimes.com/dark-web-marketplaces-go-down-reported-mass-ddos-attack-2601105

See the original article here:
Dark Web Marketplaces Go Down In Reported Mass DDoS Attack

33% of businesses hit by DDoS attack in 2017, double that of 2016

Distributed Denial of Service attacks are on the rise this year, and used to gain access to corporate data and harm a victim’s services, according to a Kaspersky Lab report. Cybercriminals are increasingly turning to Distributed Denial of Service (DDoS) this year, as 33% of organizations faced such an attack in 2017—up from just 17% in 2016, according to a new report from Kaspersky Lab. These cyber attacks are hitting businesses of all sizes: Of those affected, 20% were very small businesses, 33% were SMBs, and 41% were enterprises. Half of all businesses reported that the frequency and complexity of DDoS attacks targeting organizations like theirs is growing every year, highlighting the need for more awareness and protection against them, according to Kaspersky Lab. Of the companies that were hit in 2016, 82% said that they faced more than one DDoS attack. At this point in 2017, 76% of those hit said they had faced at least one attack. Cybercriminals use DDoS attacks to gain access to valuable corporate data, as well as to cripple a victim’s services, Kaspersky Lab noted. These attacks often result in serious disruption of business: Of the organizations hit by DDoS attacks this year, 26% reported a significant decrease in performance of services, and 14% reported a failure of transactions and processes in affected services. Additionally, some 53% of companies reported that DDoS attacks against them were used as a smokescreen to cover up other types of cybercrime. Half (50%) of these respondents said that the attack hid a malware infection, 49% said that it masked a data leak or theft, 42% said that it was used to cover up a network intrusion or hacking, and 26% said that it was hiding financial theft, Kaspersky Lab found. These results are part of Kaspersky Lab’s annual IT Security Risks survey, which included responses from more than 5,200 representatives of small, medium, and large businesses from 29 countries. “The threat of being hit by a DDoS attack – either standalone or as part of a greater attack arsenal – is showing no signs of diminishing,” said Kirill Ilganaev, head of Kaspersky DDoS protection at Kaspersky Lab, in a press release. “It’s not a case of if an organization will be hit, but when. With the problem growing and affecting every type and size of company, it is important for organizations to protect their IT infrastructure from being infiltrated and keep their data safe from attack.” Want to use this data in your next business presentation? Feel free to copy and paste these top takeaways into your next slideshow. 33% of organizations experienced a DDoS attack in 2017, compared to 17% in 2016. -Kaspersky Lab, 2017 Of organizations hit by DDoS attacks, 20% were very small businesses, 33% were SMBs, and 41% were enterprises. -Kaspersky Lab, 2017 53% of companies reported that DDoS attacks against them were used as a smokescreen to cover up other types of cybercrime, including malware, data leaks, and financial theft. -Kaspersky Lab, 2017 Source: http://www.techrepublic.com/article/33-of-businesses-hit-by-ddos-attack-in-2017-double-that-of-2016/

Read this article:
33% of businesses hit by DDoS attack in 2017, double that of 2016