Tag Archives: var-username

Luxembourg government servers forced offline by DDoS attack

Authorities in Luxembourg have said that government servers had come under a DDoS attack on Monday. According to reports from the Luxemburger Wort, the attack started at 9.30 am, forcing the web servers of many state authorities offline or difficult to reach. Just over an hour later, the state-owned IT operator “Centre des Techniques de l’information de l’Etat” (CTIE) sent a message via Twitter, to confirm that the network was the victim of a DDoS attack. Reports by Luxemburg publication Paperjam said that over a hundred servers had been affected by the attack and that the attack impacted servers for more than 24 hours. Gilles Feith, chief of the CTIE government IT centre, said that this was the first-time Luxembourg authorities had been targeted to such an extent but could not confirm the origin of the attack. “Before it gets back to normal, it may take some time to wait,” said Feith, adding it may take “a few hours or even days.” Stephanie Weagle, VP, Corero Network Security, told SC Media UK that DDoS attacks have become many things over the last decade; weapons of cyberwarfare, security breach diversions and service impacting strategies. “The motivations for these attack campaigns are endless – financial, political, nation-state, extortion and everything in between,” she said. Weagle added: “Continuing to rely on traditional IT security solutions, and or human intervention to deal with the growing DDoS epidemic will continue to prove devastating to businesses. As recent events have confirmed once again, proactive, automated protection is required to keep the Internet connected business available in the face of DDoS attacks.” Pascal Geenens, Radware EMEA security evangelist, told SC Magazine that these days anyone has access to booter or stresser services or DDoS-for-hire. “Services are available on the Darknet as well as on the Clearnet and for just a couple of Euros one can launch a DDoS attack by a click of the mouse,” he said. Geenens added the release of the Mirai source code last October was a turning point. “We saw a huge rise in the number of botnets leveraging IoT devices (mostly IP cams and residential routers) and attacks grew in size. A 1Tbps attack should not come as a surprise today, the potential certainly is there.” He said the motivation behind DDoS attacks can be many things, combined with the user-friendly experience and low price provided by the services to perform them, the spectrum of motivations is only widening. “The main drive of most cyber-crime is still money, we have witnessed countless cyber-ransoms leveraging DDoS. This attack could be precursor of a larger RDoS. Attackers typically provide some proof they have the ability to interrupt the service, which is typically followed by a message with a demand for ransom and if the victim does not pay there will be an ultimatum followed by a much larger and longer attack.” Geenens said the number and size of DDoS attacks is growing and we do not predict this trend will slow in the near future. “My advice to any online business or government, it is five past 12, everybody is a potential target. Make DDoS protection a priority. UEBA is another technology that should be part of the strategy for organisations that carry important or sensitive information.” Source: https://www.scmagazineuk.com/luxembourg-government-servers-forced-offline-by-ddos-attack/article/641003/

View post:
Luxembourg government servers forced offline by DDoS attack

Man suspected of DT router DDoS attack arrested in Luton airport

A man has been arrested by agents from the National Crime Agency (NCA) following a European Arrest Warrant put out by Germany’s federal police. Germans are to seek extradition of the suspect under charges of computer sabotage. The British man suspected of carrying out the DDoS attack on 900,000 Deutsche Telekom home broadband reuters in November 2016 has been arrested at Luton airport just outside London. The DDoS attack saw 900,000 routers, and by extension, the service of broadband briefly stopped. As they use the same routers, customers of UK ISP TalkTalk and the UK’s Post Office’s broadband customers were also affected by this. Arrested by the UK’s National Crime Agency (NCA), by request of Germany’s federal police (BKA) under a European Arrest Warrant, Germany is now expected to seek extradition of the 29-year-old to face charges of computer sabotage. In a German-language statement, the BKA said the attack last year was “particularly serious” and was carried out in a bid to enroll the home routers in a botnet. The statement explains that Federal police are involved because the attack was classed as a threat to Germany’s national communication infrastructure. Public prosecutor Dr Daniel Vollmert from Cologne, Germany, told the Press Association, “he is accused of being the mastermind behind the attack.” The routers were believed to have a particular vulnerability, and all found using IoT search engine Shodan. Once detected, it was hijacked using the vulnerability, and then used to mount a DDoS attack. The attack is believed to have been carried out using a variant of the Mirai malware, which caused much havoc in late 2016 as it was used in the attacks on DNS provider Dyn, French web hosting company OVH and the website of security researcher Brian Krebs. Source: https://www.scmagazineuk.com/man-suspected-of-dt-router-ddos-attack-arrested-in-luton-airport/article/640082/

Continue reading here:
Man suspected of DT router DDoS attack arrested in Luton airport

Defending against DDoS-Day

It was tax time in Australia, 2014, and one Sydney tax agent, like many others across the country, was all-hands-on-deck as staff took endless calls and filled appointment diaries. The frantic pace was welcomed at the young firm, which prided itself on being hip, casual, and cool. The firm’s slick, mobile-friendly website and a good search engine ranking brought a decent rush of new clients to the firm each year. So when the site went on- and offline over the course of a week, phones stopped ringing and staff panicked. The firm was on the receiving end of a distributed denial-of-service (DDoS) attack from IP addresses out of Eastern Europe that overwhelmed the small business IT infrastructure. An email in the company’s generic inbox demanded that US$1,000 be wired to a Western Union account in order for the attacks to stop. “We called our tech guys and they tried to block it,” a senior tax accountant told CRN on condition of anonymity. “We called the cops, but no-one could fix it quickly enough so we paid.” The price was cheap compared to the damage wrought. And fears that the criminals would just ask for more money once the ransom was paid were unfounded; the attacks stopped abruptly and no more was heard from them. Booters and stressers When a dam threatens to breach, it helps to have a network of diversion channels where the water can flow away from the towns below. So it is that a wave of DDoS packets can be soaked up by throwing large networks in front of the target. The floods are becoming more common, but their nature is changing to something more efficient and dangerous than in previous years. Akamai’s latest release of the popular State of the Internet report for the last quarter of 2015 finds a 149 percent increase in total DDoS attacks and a 169 percent increase in infrastructure layer attacks over the same period in 2014. The “vast majority” of these attacks were from so-called booter or stresser providers, the DDoS-for-hire services that operate with a gossamer-thin veil of legitimacy for customers who pay hourly to monthly rates to point the attacks at their own infrastructure. Of course, many who use the services point the booters at rival businesses, governments and, notably, live-stream gaming video channels operated by rivals. These attacks have “increased dramatically”, Akamai says, compared to the preceding three months, with use of network timing attacks that power the booters up by 57 percent on the previous quarter. Such attacks abuse the network timing protocol so a small query generates a large response, which is redirected at a target. “Network Time Protocol amplification attacks have be used in large-scale DDoS attacks peaking shy of 400Gbps, but DNS amplification attacks have also been successfully used to cripple infrastructure and cause serious financial losses,” BitDefender senior threat analyst Adrian Liviu Arsene says. “One of the largest DDoS attack to date was reported to have reached around 500Gbps, although the standard is somewhere around 100Gbps.” Motive and intent Distributed denial-of-service is the second most likely digital attack to be familiar to the average pedestrian after viruses. The method of attack hit mainstream headlines some six years ago, when online activist group Anonymous brought down major websites, including Paypal, the Recording Industry Association of America and the sites of Canberra public agencies. Systematic arrests followed, bursting the bubble of those participants who thought safety in numbers would shield their IP addresses from being singled out by police. It signalled a fall in popularity of DDoS as a means of protest. The criminal undercurrent remains and here cash is king, but motivations still vary. Businesses use DDoS attacks to knock off rivals and criminals to send sites offline until a ransom is paid. Yet others use the digital flood as a diversion to distract security defenders and set off alarms while they hack into back-end systems. One group known as DDoS for Bitcoin, or DDoS4BC, is using the proven anonymity of the crypto-currency to extort companies through DDoS. It is a safer model for criminals than that which ripped through the Sydney tax accountancy, and considerably more expensive for victims. It is, as of January, known to have hit more than 150 companies around the world, first sending an extortion note demanding between AU$5,600 and a whopping AU$112,000 in Bitcoins before launching small DDoS attacks to demonstrate the group’s capabilities. For some victims, the DDoS may be short-lived and devoid of any apparent motive, according to Verizon Enterprise Solutions investigative response managing principal Ashish Thapar. “We have definitely seen DDoS on the rise and several of our partners are logging double the [usual] number of incidents,” Thapar says. “We are also seeing DDoS attacks bringing companies them to their knees but not entirely offline, which acts as a smokescreen for advanced persistent threat attacks at the back end.” That’s also something Secure Logic chief executive officer Santosh Devaraj has seen. The company hosts iVote, the electronic voting system for NSW, and last year bagged the $990,000 contract to operate it until 2020. “There are ‘DDoS for hire’ groups we’ve seen as part of monitoring iVote that may be trying to gain access to infrastructure at the back,” Devaraj says. “The real threat may not be the DDoS.” DDoS down under Australian businesses are less targeted than those overseas, experts agree, thanks in part to our smaller internet pipes. But with the NBN rolling out, DDoS Down Under is expected to become big. The midmarket is likely to be hit harder, BitDefender’s Arsene says. “Midmarket DDoS attacks are likely to rise as the chances of targets actually paying are higher than for other organisations,” he says. “[Criminals] specifically target midmarket companies that don’t have the technical resources to fend off such attacks.” Akamai chief strategist John Ellis agrees, saying extortionists “tend to hit the sites with a large online presence”. “For cyber adversaries, the [midmarket] provides a fantastic target,” Ellis adds. “A Sydney developer team that relies heavily in online app availability, for example, may have to seriously consider whether it rolls over and pays DDoS extortionists.” The attacks in Australia are, for now, fairly small. “We are seeing bigger DDoS attacks, but they’re nowhere near the size of attacks in the US,” says Melbourne IT cloud and mobile solutions general manager Peter Wright. “It is partly because infrastructure and bandwidth limitations reduce the size of DDoS attacks. It is an attribute of infrastructure capacity and there is a risk that, as we broaden the pipes [as part of the National Broadband Network], it brings huge benefits but increases the risk profile as well.” Sinking feeling Big banks are smashed by DDoS attacks every day and largely do not bat an eyelid. Online gambling companies, too, across Australia are blasted during big sporting events. These top end of town players have expensive, tried-and-tested scrubbing mechanisms to largely neuter DDoS attacks, although some betting agencies are known to have regularly paid off attackers during the Melbourne Cup, treating it as a cost of business. The midmarket is not left to its own devices, however. Hosting providers like Melbourne IT and others offer DDoS protection against applications and services, while other companies have cheaper offerings for the budget market. “I am sympathetic to the midmarket, their need for bang-for-buck,” Ellis says. “The challenge for the midmarket is that they don’t have the money that they need… they should focus on business outcomes and partners who understand their business and design outcomes.” For Secure Logic’s Devaraj, DDoS mitigation comes down to a solid cyber security operations centre. “It is where I believe the industry should invest, rather than a particular technology.” Yet companies can use free or cheap DDoS protection from the likes of CloudFlare, or opt for do-it-yourself options that require hardening of security defences – something the average small technology shop may lack the ability to do. “There are DDoS sinkholes and capabilities with our cloud partners,” Wright says. “If a resource or function is hit, we can move workloads to other resources dynamically.” Arsene agrees. “Midmarket tech guys need to start by incorporating DDoS attack risks into their corporate security strategies. Using a secure and managed DNS that supports changing internet protocols on the fly is also recommended, as well as patching software vulnerabilities to mitigate application layer attacks.” Source: http://www.crn.com.au/feature/defending-against-ddos-day-419470/page1 http://www.crn.com.au/feature/defending-against-ddos-day-419470/page2

Read the original post:
Defending against DDoS-Day

Flaw in Juniper’s JunOS router software could cause DDoS flood

Juniper has disclosed that that a problem with the Junos router could enable DDoS attacks Juniper has admitted that a vulnerability in IPv6 processing on its Junos router OS could allow malicious packets to be sent to networks resulting in a DDoS attack on infrastructure. In an advisory, the firm said the flaw could enable a specially crafted “IPv6 Neighbor Discovery” (ND) packet to be accepted by the router rather than discarded. “The crafted packet, destined to the router, will then be processed by the routing engine (RE). A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer may start dropping legitimate IPv6 neighbors as legitimate ND times out,” the firm said. The firm added that this is similar to the router’s response to any purposeful malicious IPv6 ND flood destined to the router. “The difference is that the crafted packet identified in the vulnerability is such that the forwarding controllers/ASICs should disallow this traffic from reaching the RE for further processing,” according to the advisory. It said that following investigations, only its MX, PTX, and QFX products have been confirmed to experience this behaviour. Juniper added that no fix was presently available at the time of writing and neither was a complete workaround. “Security best current practices (BCPs) of filtering all ND traffic at the edge, destined to network infrastructure equipment, should be employed to limit the malicious attack surface of the vulnerability,” the firm advised. Rich Barger, chief intelligence officer at ThreatConnect, told SCMagazineUK.com that organisations should look to either filter the protocol or packet (if possible). “It looks as if Juniper has included edge firewall rules that can block the neighbour discovery packets as a means to buffer any vulnerable devices,” he said. Richard Cassidy, technical director EMEA at Alert Logic, said that this flaw represents a serious issue for organisations that “Dual Stack” networking with IPv6 and IPv4. He told SC that the issue was “essentially a DDoS attack, through a specially crafted IPv6 ND packet, that can be targeted at JunOS routers from remote attackers. It is fairly simple to identify router OS versions through scanning techniques, which of course leaves most organisations at risk at some level, given the prevalence of Juniper in networking infrastructures globally.” Alex Cruz Farmer, VP of cloud at Nsfocus, told SC that almost every network around the world is considering or planning IPv6 if they have not already. “With this in mind, it’s crucial that the protection is implemented now, to avoid this security hole being exploited in future.” Source: http://www.scmagazineuk.com/flaw-in-junipers-junos-router-software-could-cause-ddos-flood/article/501681/

Visit link:
Flaw in Juniper’s JunOS router software could cause DDoS flood

Massive DDoS attacks reach record levels as botnets make them cheaper to launch

Nineteen attacks that exceeded 100Gbps were recorded during the first three months of 2016 There were 19 distributed denial-of-service (DDoS) attacks that exceeded 100 Gbps during the first three months of the year, almost four times more than in the previous quarter. Even more concerning is that these mega attacks, which few companies can withstand on their own, were launched using so-called booter or stresser botnets that are common and cheap to rent. This means that more criminals can now afford to launch such crippling attacks. “In the past, very few attacks generated with booter/stresser tools exceeded the 100 Gbps mark,” researchers from Akamai said in the company’s State of the Internet security report for the first quarter of 2016 that was released Tuesday. By comparison, only five DDoS attacks over 100 Gbps were recorded during the fourth quarter of 2015 and eight in the third quarter. Nineteen such attacks in a single quarter is a new high, with the previous record, 17, set in the third quarter of 2014. But high bandwidth is not the only aspect of DDoS attacks that can cause problems for defenders. Even lower-bandwidth attacks can be dangerous if they have a high packet rate. A large number of packets per second poses a threat to routers because they dedicate RAM to process every single packet, regardless of its size. If a router serves multiple clients in addition to the target and exhausts its resources, that can cause collateral damage. According to Akamai, in the first quarter there were six DDoS attacks that exceeded 30 million packets per second (Mpps), and two attacks that peaked at over 50 Mpps. DDoS reflection and amplification techniques continue to be used extensively. These involve abusing misconfigured servers on the Internet that respond to spoofed requests over various UDP-based protocols. Around one-in-four of all DDoS attacks seen during the first three months of 2016 contained UDP (User Datagram Protocol) fragments. This fragmentation can indicate the use of DDoS amplification techniques, which results in large payloads. The four next most common DDoS attack vectors were all protocols that are abused for DDoS reflection: DNS (18 percent), NTP (12 percent), CHARGEN (11 percent) and SSDP (7 percent). Another worrying trend is that an increasing number of attacks now use two or more vectors at the same time. Almost 60 percent of all DDoS attacks observed during the first quarter were multivector attacks: 42 percent used two vectors and 17 percent used three or more. “The continued rise of multi-vector attacks suggests that attackers or their attack tools are growing more sophisticated,” the Akamai researchers said in their report. “This causes problems for security practitioners, since each attack vector requires unique mitigation controls.” China, the U.S. and Turkey were the top three countries from where DDoS attack traffic originated, but this indicates where the largest number of compromised computers and misconfigured servers are located, not where the attackers are based. The most-hit industry was gaming, accounting for 55 percent of all attacks. It was followed by software and technology (25 percent), media and entertainment (5 percent), financial services (4 percent) and Internet and telecommunications (4 percent). Being hit by one isn’t the only way DDoS attacks can affect businesses: They can also be blackmailed with the threat of one, an increasing trend over the past year. In some cases attackers don’t even have to deliver on their threats. Researchers from CloudFlare reported recently that an extortion group earned $100,000 without ever launching a single DDoS attack. Source: http://www.itnews.com/article/3079988/massive-ddos-attacks-reach-record-levels-as-botnets-make-them-cheaper-to-launch.html

See original article:
Massive DDoS attacks reach record levels as botnets make them cheaper to launch

Anonymous DDoS and shutdown London Stock Exchange for two hours

Anonymous hacktivists take down the London Stock Exchange website for more than two hours as part of protest against world’s banks The online hacktivist group, Anonymous reportedly shut down the London Stock Exchange (LSE) website last week for more than two hours as part of a protest against world’s banks and financial institutions. According to the Mail on Sunday, the attack was carried out by Philippines unit of Anonymous on June 2 at 9am. Previous targets have included the Bank of Greece, the Central Bank of the Dominican Republic and the Dutch Central Bank. The newspaper says: “Anonymous claims the incident was one of 67 successful attacks it has launched in the past month on the websites of major institutions, with targets including the Swiss National Bank, the Central Bank of Venezuela and the Federal Reserve Bank of San Francisco.” A spokesperson for the LSE declined to comment on the incident, however, the attack most likely took the form of a distributed denial of service (DDoS) attack, meaning trading would not have been affected and no sensitive data would have been compromised. In the 24 hours before the LSE site went down, the group also claims that the attack on the LSE was the latest in a series that has also seen it target the websites of NYSE Euronext, the parent company of the New York Stock Exchange and the Turkey Stock Exchange, as part of a campaign called Operation Icarus. According to the newspaper, City of London Police said it was not informed that the LSE website had gone down and had no knowledge of the attack. However, the latest attack may not be a complete surprise. In a video posted to YouTube on May 4, a member of the amorphous group announced in that “central bank sites across the world” would be attacked as part of a month-long Operation Icarus campaign. The video statement said: “We will not let the banks win, we will be attacking the banks with one of the most massive attacks ever seen in the history of Anonymous.” By using a distributed-denial-of-service (DDoS) cyberattack, the group also successfully disrupted the Greek central bank’s website. In light of that event, a separate video was posted to YouTube on May 2. The masked individual representing Anonymous group said: “Olympus will fall. How fitting that Icarus found his way back to Greece. Today, we have continuously taken down the website of the Bank of Greece. Today, Operation Icarus has moved into the next phase.” The Anonymous spokesperson added: “Like Icarus, the powers that be have flown too close to the sun, and the time has come to set the wings of their empire ablaze, and watch the system their power relies on come to a grinding halt and come crashing down around them. We must strike at the heart of their empire by once again throwing a wrench into the machine, but this time we face a much bigger target – the global financial system.” Source: http://www.techworm.net/2016/06/anonymous-ddos-shutdown-london-stock-exchange-two-hours.html

Continue reading here:
Anonymous DDoS and shutdown London Stock Exchange for two hours

Hackers Hit Facebook CEO Mark Zuckerberg’s Twitter and Pinterest Accounts

Facebook co-founder and CEO Mark Zuckerberg was apparently targeted by a hacking team over the weekend that was able to access his seldom-used Twitter and Pinterest accounts. The hacker group OurMine, believed to be based in Saudi Arabia, posted messages to Zuckerberg’s Twitter account, @finkd, which features just 19 tweets and hasn’t been otherwise updated since 2012. The team also briefly commandeered Zuckerberg’s Pinterest account, which has just a few boards and pins. Both Twitter and Pinterest have since removed the unauthorized content on Zuckerberg’s accounts, and Twitter has also suspended OurMine’s main account. The group is now posting on Twitter via a backup account. ‘Saving People from Other Hackers’ On Sunday, OurTeam tweeted on the backup account, “i don’t understand why @twitter suspended our account while we are saving people from other hackers!” Another tweet posted this morning added, “Our Old Twitter (@_OurMine_) is suspended because we are just trying to secure Mark Zuckerberg Accounts!” The person or people posting to the backup OurTeam Twitter page also noted they would try to get the team’s main Twitter account unsuspended. Contrary to some news reports stating that OurTeam claimed to have found Zuckerberg’s login information from user data leaked from a major hack attack on LinkedIn in 2012, the hacking group noted in a tweet yesterday that it had made no such claim and added that it had never used LinkedIn. ‘Relatively New’ Hacking Group OurMine is a “relatively new” hacking group that first appeared on Twitter in March 2015, according to a report published by the content delivery network specialist Akamai last year. The team initially appeared to focus on distributed denial of service (DDoS) attacks on gaming services, and later took responsibility for similar such attacks on financial service companies. Nine companies were attacked by OurTeam on July 22 of last year, with the combined DDoS attack levels exceeding 117 gigabytes per second. OurMine has also claimed to have attacked a number of other targets, including Soundcloud and PewDiePie. Zuckerberg hasn’t made any public statement regarding the OurMine attacks on his accounts. However, after OurMine tweeted it had accessed his accounts, Zuckerberg responded, “No you didn’t. Go away, skids.” That tweet has also since been removed. A June 2012 hack of LinkedIn was originally believed to have involved just 6.5 million passwords — at least, that’s the number LinkedIn first acknowledged. However, a report emerged last month that a dark Web marketplace and another site, LeakedSource, had obtained data from 167 million hacked LinkedIn accounts. Of those, 117 million included e-mails and passwords. The remaining accounts are thought to belong to users who logged into the site via Facebook. Some news reports have stated that OurTeam claimed to have found Zuckerberg’s Twitter and Pinterest password — “dadada” — in the compromised LinkedIn data. Source: http://www.sci-tech-today.com/news/Hackers-Hit-Zuckerberg-s-Accounts/story.xhtml?story_id=012001GT5W5O

BitGo Under DDoS Attack; Wirex Advises Customers Not To Use Platform

Wirex, a bitcoin debit card provider, sent an email to customers today advising them to avoid making transactions on the Wirex platform until it could confirm from thatBitGo services have been resumed. The message included a BitGo tweet advising users it was under a distributed denial of service (DDoS) attack. BitGo is a wallet and a security platform for bitcoin and blockchain technologies. “We, therefore, recommend to avoid making any transactions via E-Coin/Wirex platform until confirmation from BitGo that the services have been resumed,” the Wirex email noted. The BitGo tweet stated: “We apologize for the issue, but we’re under DDOS attack at this moment. We’re working on it and will keep you updated.” Wirex is a wallet service that provides both physical and virtual bitcoin debit cards. Wirex users were able to send bitcoin from within the BitGo Instant network. BitGo Offers Instant Settlement Wirex uses the BitGo Instant service, which provides immediate settlement of bitcoin transactions, CCN reported in February. There was nothing on the BitGo blog about the attack at the time of this report. BitGo’s service eliminates the “double spend” potentiality in bitcoin transactions. The service is for users seeking instant bitcoin transactions while securing funds against the possibility that the sender will spend the money elsewhere before the transaction gets confirmed via the blockchain. BitGo provides immediate transaction settlement using the crypto keys among participating users’ wallets. BitGo Gains A Following Other cryptocurrency exchanges and apps offering BitGo Instant include Bitstamp, Bitfinex, Unocoin, Kraken and the Fold app. There have been several DDoS attacks bitcoin wallets and exchanges in recent months. Bitcoin and alt.coins exchange BTC-e suffered a DDoS attack in January. BTCC, the Shanghai, China-based digital currency exchange, suffered a DDoS attack at the end of last year. OkCoin, another exchange, was also the target of a DDoS attack in July. Source: https://www.cryptocoinsnews.com/bitgo-ddos-wirex-advisory/

See more here:
BitGo Under DDoS Attack; Wirex Advises Customers Not To Use Platform

NTP Patches Flaws That Enable DDoS

The network time protocol, at the center of a number of high-profile DDoS attacks in 2014, was updated on Thursday to ntp-4.2.8p8. The latest version includes patches for five vulnerabilities, including one rated high-severity. NTP, specifically the NTP daemon, synchronizes system clocks with time servers. Vulnerable NTP servers were used two years ago with regular frequency to carry out amplification attacks against targets. High-bandwidth NTP-based DDoS attacks skyrocketed as attackers used vulnerable NTP implementations to amplify DDoS attacks much in the way DNS amplification has been used in the past. Some NTP amplification attacks reached 400 Gbps in severity, enough to bring down even some of the better protected online services. US-CERT today released a vulnerability notification about the latest set of NTP vulnerabilities. “Exploitation of one of these vulnerabilities may allow a remote attacker to cause a denial-of-service condition,” the US-CERT advisory said. US-CERT also published a list vendors potentially vulnerable to attack; as of this afternoon, only the NTP project’s ntpd implementation is known to be affected. The status of the remainder of the A-Z list of vendors is characterized as unknown. “Unauthenticated, remote attackers may be able to spoof or send specially crafted packets to create denial of service conditions,” US-CERT said. One of the vulnerabilities, privately reported by Cisco, is a crypto-NAK crash or denial-of-service bug. Crypto-NAK responses are sent by NTP servers if a server and client do not agree on a message authentication code. The four remaining flaws were disclosed by Red Hat researchers. One is related to the crypto-NAK issue. “An attacker who knows the origin timestamp and can send a spoofed packet containing a CRYPTO-NAK to an ephemeral peer target before any other response is sent can demobilize that association,” an NTP.org bug report says. Another patch corrects a flaw where spoofed server packets were processed. “An attacker who is able to spoof packets with correct origin timestamps from enough servers before the expected response packets arrive at the target machine can affect some peer variables and, for example, cause a false leap indication to be set,” said the bug report. An autokey association reset flaw was also patched. Here an attacker who spoofs a packet with a correct origin timestamp before the response arrives can send a crypto-NAK or bad MAC and cause an association’s peer variables to be cleared, eventually preventing it from working correctly. The final vulnerability addressed is an issue where broadcast clients may be flipped into interleave mode. Source: NTP Patches Flaws That Enable DDoS https://wp.me/p3AjUX-uOO

Russia’s top 3 banks were target of world’s largest DDoS attack

Russia’s three largest Russian banks – VTB, Sberbank and Bank of Moscow – came under a massive DDoS-attack in the fall of 2015, a top manager at VTB has said. Claiming the attackers demanded a bitcoin payment for stopping the attack. A senior official from one of Russia’s largest banks has revealed that the lender became the target of the most extensive DDoS-attack in the entire history of monitoring in the fall of 2015. “A certain group of perpetrators” carried out a series of “the strongest DDoS-attacks” against Sberbank, VTB and Bank of Moscow for several days, Dmitry Nazipov, senior vice president of VTB, told the Russian media on June 1. According to him, the bank received a “fairly typical letter” in English at that time demanding a bitcoin payment in return for stopping the attacks. “Obviously, we did not agree to pay, but that attack was generally localized in three days, and was not repeated on such a scale thereafter,” said Nazarov. He pointed out that to solve the problem, VTB collaborated with police, telecom service providers and the Central Bank’s information security center, FinCert. In September 2015, the deputy head of the Central Bank’s main security and information protection directorate, Artyom Sychev, said that the websites of five major Russian banks had been subjected to a DDoS-attack. He did not disclose the names of the banks. Sychev said that after the end of the attacks, some of the banks attacked received letters from extortionists who demanded that 50 bitcoins (the average value of a bitcoin was around $230 in September 2015 – RBTH) be transferred to them for not repeating such attacks. He noted that the banks did not suffer damage as a result of the attack. Earlier on June 1, the Federal Security Service and the Interior Ministry reported the detention of 50 suspects in a theft of 1.7 billion rubles ($25 million) from financial institutions. The police also said that they could prevent 2.2 billion rubles’ ($32.5 million) worth of possible damage. The law enforcement agencies turned to security software producer Kaspersky Lab for help in identifying the suspects. According to the company, the hackers stole 3 billion rubles ($44.5 million). Six Russian banks, including Metallinvestbank, the Russian International Bank, Metropol and Regnum, were victims of the hackers. Source: https://rbth.com/business/2016/06/02/russias-top-3-banks-were-target-of-worlds-largest-ddos-attack_599743