Tag Archives: var-username

DDoS-for-hire cyberattacks are effective and cost-effective

DDoS-for-hire is a growing business for cybercriminals, and continues to prove effective Read more at http://www.tweaktown.com/news/43708/ddos-hire-cyberattacks-effective-cost/index.html Distributed denial of service (DDoS) cyberattacks have plagued consumers and businesses for quite some time, but the rising number of DDoS attacks available as a paid service is troubling. Clients can pay from $2 up to $5 per hour to launch DDoS attacks, or pay a subscription for prices as low as $800 per month. The Lizard Squad hacker group helped draw increased scrutiny to the underground cybercriminal activity – demonstrating its LizardStresser DDoS service in successful attacks against the Sony PlayStation Network and Microsoft Xbox Live. Meanwhile, the Gwapo DDoS service has been publicly advertised via social media and YouTube posted videos, with attacks starting at $2 per hour. “Since their inception in 2010, DDoS-for-hire capabilities have advanced in success, services and popularity, but what’s most unnerving is booters have been remarkably skilled at working under the radar,” according to the “Distributed Denial of Service Trends” report from Verisign. “Given the ready availability o DDoS-as-a-service offerings and the increasing affordability of such services, organizations of all sizes and industries are at a greater risk than ever of falling victim to a DDoS attack that can cripple network availability and productivity.” Source: http://www.tweaktown.com/news/43708/ddos-hire-cyberattacks-effective-cost/index.html

View original post here:
DDoS-for-hire cyberattacks are effective and cost-effective

Network of city websites CitySites under DDoS Attack

On February 15, about ten websites of the cities that are in the same network CitySites, were under a DDoS-attack. The ones to suffer most from the attack were the websites of Kharkiv (057.ua), Zaporizhzhya (061.ua), and Mykolaiv (0512.com.ua). Also, the websites of Artemivsk, Luhansk, and Sumy were affected. According to the network’s tech support, the attacks are random as if the hackers were feeling out the websites’ defense. The websites of Donetsk, 62.ua, and Mariupol, 0629.com.ua, are beyond the hackers’ reach. Source: http://imi.org.ua/en/news/47756-network-of-city-websites-citysites-under-ddos-attack.html

View article:
Network of city websites CitySites under DDoS Attack

The growing threat of DDoS attacks on DNS

Current security solutions are proving inadequate in combating DNS attacks – See more at: http://www.information-age.com/technology/security/123459033/growing-threat-ddos-attacks-dns#sthash.Yy7UXtWd.dpuf Since 2012, the number of infrastructure attacks on the domain name system (DNS) has increased by over 200%. Yet despite this rise, many businesses still aren’t doing enough to secure a critical component of their IT infrastructure. A 2014 survey on IT infrastructure security found that more than a quarter of companies had not established formal responsibility for DNS security. The reaction of both the media and consumers to the high-profile attacks witnessed in 2014, such as those on Target and JP Morgan, has shown companies will not be easily forgiven when a hack occurs – especially if certain security measures could have prevented the attack. With the ever-increasing rise in distributed denial of service (DDoS) attacks on DNS, companies not taking measures to secure their DNS will appear negligent. DNS is easy to exploit, and organisations need to understand that they have little choice but to work around its weaknesses. In its  2014 Annual Security Report , Cisco found that all the corporate networks examined showed evidence of having been compromised. 96% showed traffic to hijacked servers and 92% revealed traffic to sites without any content, typically a sign of malware hosting. It is clear that DNS-based DDoS attacks are not only a growing threat, but also one that’s being overlooked. DNS security should be considered a priority given these increasing risks. Knowledge is key, and businesses need to understand how these attacks work if they want to protect themselves. Understanding DDoS attacks It’s surprisingly, and worryingly, simple to generate a DDoS attack using an organisation’s DNS infrastructure. Hackers hijack the system to send queries to name servers across the Internet from a spoof IP address of their target (this is as simple and effective as writing someone else’s return address on a postcard). The name servers then, in turn, send back responses. If these responses were around the same size as the queries themselves, this wouldn’t in itself be enough to wreak the desired havoc on the target. To inflict the maximum damage, the query needs to be amplified so it returns the largest possible response. And this has become much simpler since the adoption of DNS security extensions (DNSSEC). Following the introduction of the set of extensions known as EDNS0 in 1999 UDP-based DNS messages (DNS messages which use Internet Protocol (IP) to get data from one computer to another) have been able to carry greater amounts of data. Whilst most queries are under 100 bytes, the responses can be significantly larger, anywhere up to 4,096 bytes. Responses of this size were once a rare occurrence in the internet’s namespace, but digital signatures and cryptographic keys stored by DNSSEC in the namespace are now commonplace and massive. To see the extent to which these amplified responses can be used as an effective DDoS attack, consider a query of just 44 bytes. This single query, if sent from a spoofed IP address to a domain containing DNSSEC records, could generate a response of over 4,000 bytes. Using a botnet of thousands of computers, and recruiting 10 fellow comrades, could deliver 1Gbps of replies to incapacitate the target. Thankfully most name servers can be modified to recognise when they’re being repeatedly queried for the same information from the same IP address. However, it’s a different story for open recursive servers, of which there are estimated to be 33 million around the world. These will continually accept the same query from the same spoofed IP address, each time sending back responses as discussed in the DNSSEC examples previously mentioned. Knowledge is the key Of all the steps that companies can take to protect themselves from such attacks, the first and probably the most important is learning to recognise just when a DDoS attack is taking place. Many organisations don’t know what their query load is, let alone when they’re under attack. With the statistics support built into the DNS software BIND, administrators are able to analyse their data for socket errors, query rates, and other attack indicators. Whilst it may not be clear exactly what the attack looks like, by monitoring the DNS statistics it is possible to get an understanding of what the trends are, so anomalies can be more easily identified. It’s also important to scrutinise an organisation’s internet-facing infrastructure for single points of failure. This should not only be in external authoritative name servers, but also in the firewalls, switch and router interactions, and connections to the Internet. Once these vulnerabilities have been identified, the question is whether these can be cost-effectively and easily eliminated. Also, wherever possible, external authoritative name servers should be broadly geographically distributed. This will not only help avoid single points of failure, but will also improve the response time performance for the closest customers. Another easy step is overprovisioning existing infrastructure, which is both inexpensive and easy to trial prior to an attack. This helps mitigate the massive number of responses resulting from a DDoS attack. But has the consequence of potentially making you a better ‘amplifier’ for attacks on a third party. Therefore an approach that enables your DNS servers to continue to serve legitimate traffic whilst identifying and intelligently limiting rouge traffic may be a better approach. The ever-increasing threat posed to DNS means that priority must be given to learning about and implementing preventative measures to mitigate the threat. Understanding how DDoS attacks exploit DNS servers is the first step to reducing an organisation’s threat level. Formally assigning responsibility for DNS security and taking steps to understand typical query loads are both relatively simple tasks that will help reduce exposure to DNS attacks. With attacks on DNS increasing at an alarming rate, businesses that fail to act will be vulnerable. Source: http://www.information-age.com/technology/security/123459033/growing-threat-ddos-attacks-dns

See the original article here:
The growing threat of DDoS attacks on DNS

Dutch government says DDoS attack took down websites for hours

Cyber attackers crippled the Dutch government’s main websites for most of Tuesday and back-up plans proved ineffective, exposing the vulnerability of critical infrastructure at a time of heightened concern about online security. The outage at 0900 GMT (0400 ET) lasted more than seven hours and on Wednesday the government confirmed it was a cyber attack. The United States has beefed up cybersecurity laws and created an intelligence-gathering unit to coordinate analysis of cyber threats after attacks against Sony Pictures and Home Depot. The outage affected most of the central government’s major websites, which provide information to the public and the media, but phones and emergency communication channels remained online. Other websites, including GeenStijl.nl, a popular portal which mocks politicians and religions, were also hit by the “distributed denial of service” (DDoS) attack, said Rimbert Kloosterman, an official at Government Information Service, which runs the websites. “Our people are investigating the attack together with the people from the National Centre for Cyber Security,” he said. The complexity and size of the government’s many websites had rendered the back-up useless, he said. Prolocation, the website host, said the attack had been a “complex” problem and that its phone lines had also gone down. “The initial symptoms pointed first to a technical problem, but it then emerged we were facing an attack from the outside,” the company said in a statement. But one computer security expert doubted that a DDoS attack, in which systems are overloaded with a flood of requests from hijacked computers, could have been hard to identify. “If you face a DDoS, you know it,” Delft Technical University cyber security specialist, Christian Doerr, said. Such attacks were hard to guard against and the software for such an attack could be bought illegally for as little as $25. “Even a 16-year-old with some pocket money can attack a website,” he said. Source: http://www.reuters.com/article/2015/02/11/us-netherlands-government-websites-idUSKBN0LF0N320150211

See original article:
Dutch government says DDoS attack took down websites for hours

How The Great Firewall Of China Caused A DDoS Attack In France

Many people outside China know about the country’s Great Firewall, but probably assume it will have little, if any, impact on their own online activities. However, a fascinating post on Benjamin Sonntag’s blog explains how one of the servers of La Quadrature du Net, the Paris-based digital freedom association he co-founded, and for which his company provides free hosting, was hit by distributed denial of service attacks (DDOS) caused directly by the Great Firewall’s policies. His blog post provides all the technical details: it turned out that the vast majority of the attacks were coming from Chinese IP addresses. Here’s what seems to have happened: China is censoring its Internet, that’s well known to do this, this country censors (among others) DNS [Domain Name System] queries in its network (and also censoring as a side effect, the rare Japanese, Korean or Taiwanese queries going through China) when it answers a DNS query to a censored website, it answers with “any incorrect IP address” instead. That is, instead of letting Chinese Net users access “forbidden” content, the Great Firewall generally re-directs them to some random, presumably harmless, site. But that wasn’t happening here: we see spikes of requests to websites censored in China coming to IP addresses such as those of La Quadrature du Net. Other people had this same issue : http://furbo.org/2015/01/22/fear-china/ So, the end story is that we just saw censored websites requests coming to La Quadrature du Net’s IP address from China, due to how the Chinese Internet censorship is working! Rather than pushing limited traffic to lots of sites, the Great Firewall was sending lots of traffic to just a few. Among the possible explanations for this new behavior, Sonntag offers two that are equally worrying: Maybe one of the system administrator of the great firewall of China is gaining some small and quick money selling DDOS, selling Internet attacks to the highest bidder (in bitcoin? ) and using that censorship system as a weapon Maybe China chose a precise list of targets to send censored traffic to, adding to this technical “useful” process (the censorship) a “nice” one (putting down foreign opponents’ websites)… La Quadrature du Net, as a digital freedom association, seems to be too nice a target (among others of course). Neither is good news for sites in the West. Whatever the real reason for this DDOS attack on La Quadrature, it certainly shows that the operation of the Great Firewall of China can have very direct effects outside that country. Another reason, perhaps, for those in the West to pay closer attention to China’s increasingly harsh approach to online censorship. Source: https://www.techdirt.com/articles/20150204/09454829910/how-great-firewall-china-caused-ddos-attack-france.shtml

More:
How The Great Firewall Of China Caused A DDoS Attack In France

Anonymous-linked hacker admits to DDoS of public services

Merseyside resident disrupted more than 300 sites with bogus traffic. A hacker with links to Anonymous has admitted conducting distributed-denial-of-service (DDoS) attacks against social services, crime prevention bodies and businesses. Ian Sullivan, a 51-year-old from Bootle in Merseyside, flooded more than 300 websites with bogus traffic in 2013, rendering them unusable for legitimate visitors, though the police said no data was stolen. Steven Pye, senior operations manager at the National Crime Agency’s (NCA) cybercrime unit, said: “Many DDoS attacks are little more than a temporary inconvenience, but in this case Sullivan’s actions are likely to have deprived vulnerable people of access to important information, ranging from where to get support on family breakup, to reporting crime anonymously.” “This multi-agency operation illustrates the commitment of the NCA and its partners to pursuing people who think they can criminally disrupt important public services or legitimate businesses.” Sullivan was arrested on July 29, 2013 by the Police Central e-Crime Unit after the DDoS attacks were referenced by a Twitter account. Investigators found software on his computer capable of taking websites offline, as well as documents linking him to other campaigns run by hacking collective Anonymous. He will be sentenced at Liverpool Crown Court on May 1. Source: http://www.cbronline.com/news/security/anonymous-linked-hacker-admits-to-ddos-of-public-services-4507312

View article:
Anonymous-linked hacker admits to DDoS of public services

Massive DDoS Brute-Force Campaign Targets Linux Rootkits

A brute force campaign looking to set up a distributed denial of service (DDoS) botnet using a rare Linux rootkit malware has been launched, emanating from the servers of a Hong Kong-based company called Hee Thai Limited. The malware, known as XOR.DDoS, was first spotted in September by security research firm Malware Must Die. But security firm FireEye says that new variants have been making their way into the wild, as recently as Jan.20. XOR.DDoS is installed on targeted systems via SSH (Secure Shell) brute-force attacks that target both servers and network devices. And these are being carried out using complex attack scripts to serve the malware through a sophisticated distribution scheme that allows the attackers to compile and deliver tailored rootkits on-demand, to infect x86 and mobile ARM systems alike. Once infected, the hosts are enlisted to launch DDoS attacks. “While typical DDoS bots are straightforward in operation and often programmed in a high-level script such as PHP or Perl, the XOR.DDoS family is programming in C/C++ and incorporates multiple persistence mechanisms including a rare Linux rootkit,” FireEye researchers noted in an analysis. What’s notable about the Hee Thai attack is the sheer scale of the operation. Within 24 hours of first sighting back in November, FireEye had observed well over 20,000 SSH login attempts, per server. By the end of January, each server had seen nearly 1 million login attempts. During this time period, traffic from 103.41.124.0/24 accounted for 63% of all observed port 22 traffic. “Someone with a lot of bandwidth and resources really wanted to get into our servers,” FireEye researcher noted. They also said that the campaign has been evolving. At the beginning, each IP address would attempt more than 20,000 passwords before moving on. It then dropped to attempting a few thousand passwords before cycling to the next, and repeat attacks also began to occur. Now, a new stage of the Hee Thai campaign is more chaotic than the previous two. “The attacks now occur en masse and at random, frequently with multiple IPs simultaneously targeting the same server,” FireEye explained. The Hee Thai campaign also features an on-demand malware build system. Using a sophisticated set of build systems, the malware harvests kernel headers and version strings from victims to deliver customized malware that may be compiled on-demand to deliver XOR.DDoS to the target machine. This strategy makes hash signature-based detection systems ineffective for detecting XOR.DDoS. “Brute force attacks are one of the oldest types of attacks,” FireEye researchers said. “Due to its ubiquity, there are numerous solutions available for defending against them. However a great many systems are vulnerable. Even in enterprise settings, network devices and servers in forgotten branch offices could be exposed to this threat.” Source: http://www.infosecurity-magazine.com/news/massive-ddos-bruteforce-targets/

Read the article:
Massive DDoS Brute-Force Campaign Targets Linux Rootkits

Home Routers and IoT Devices Set to Drive DNS DDoS Attacks

The volume of DNS-based DDoS attacks will see another sharp rise this year as increasing numbers of home routers and IoT devices are compromised, according to Nominum. The network infrastructure and security firm claimed there was a 100-fold rise in such attacks during 2014 with a major spike in December thanks to malware in home gateways. The trend is likely to continue in 2015, with the volume of exploitable home and IoT devices set to soar. According to Nominum, just 100 compromised devices managed to take down one million subscriber networks last year. In such DDoS campaigns, the attackers send specially crafted queries to ISP DNS resolvers and authoritative DNS servers, making the websites reliant upon them unreachable. Nominum claims that many DDoS prevention services are unable to counter these attacks as they’re either deployed in the wrong part of the network or lack accuracy. The firm added that last year, 24 million home routers with open DNS proxies were compromised and used to launch DDoS attacks. The volume of vulnerable devices has decreased since then, but with more than 100 million routers shipped every year and IoT devices set to reach tens of billions over the coming years, there’ll be plenty of opportunity for attackers to strike, it claimed. “The recent shift to bot-based DNS DDoS dramatically changes the threat landscape and these attacks will likely grow worse as the number of connected devices increases,” said Craig Sprosts, vice president product management at Nominum, in a statement. “These attacks are continuously changing and increasingly targeting legitimate domains, requiring rapid response and making simple domain or IP-based blocking approaches too risky to deploy in service provider networks.” However, David Stubley, CEO of security consultancy 7 Elements, argued that firms shouldn’t focus all their defensive efforts on DNS-related DDoS. “We have been dealing with bots and DDoS for the last 15 years and have seen a number of new techniques, such as BitTorrent as a delivery method for DDoS attacks,” he told Infosecurity . “While DNS amplification attacks will make DDoS attacks larger, this is just one of a number of approaches used and doesn’t dramatically change the threat landscape. Organizations need to assess the overall impact on their business that a DDoS attack could have and take appropriate measures to ensure that they can meet their business objectives.” Source: http://www.infosecurity-magazine.com/news/home-routers-iot-devices-drive-dns/

Read the original post:
Home Routers and IoT Devices Set to Drive DNS DDoS Attacks

Hackers ransoming encryption keys from website owners

Hackers are finding even more ways to harm website owners, in a new report from security firm High-Tech Bridge hackers are switching encryption keys and then ransoming website owners for money. The attack—known as “RansomWeb”—manages to take the current encryption keys and swap them with non-working numbers. In order for the website owner to regain control, they are forced to pay the hackers. Encryption is the basis of modern internet security, but with this new hack it locks the website owner out and gives no way to get back in, without having even more security latched on top. Even if the website owner sends payment over, there is no guarantee they will get the website back, or any guarantee that the attacker will not launch the same attack later. “We are probably facing a new emerging threat for websites that may outshine defacements and DDoS attacks.” Ilia Kolochenko, chief executive of High-Tech Bridge said. “RansomWeb attacks may cause unrepairable damage, they are very easy to cause and pretty difficult to prevent.” These hackers wait for months until new patches of encryption keys are added, before locking out the website owner. This gives them full control over the website and allows them to implement old keys that are invalid. Kolochenko claims this is a change in hacker identity, moving from chaos to financial motives. He believes the next slew of hackers will always look for ransoms and lock owners out, instead of simply defacing a website. This was first seen on the Sony Pictures hack, when the apparent hackers sent ransom messages to Sony executives three days before taking the entire system offline. The ever changing world of encryption makes it hard for security firms to properly defend customers, especially with this new RansomWeb attack. It may lead to firms like Google and Facebook offering security help for smaller sites, offering new encryption and security tools. Source: http://www.itproportal.com/2015/02/03/hackers-ransoming-encryption-keys-website-owners/

Read More:
Hackers ransoming encryption keys from website owners

Tidal waves of spoofed traffic: DDoS attacks

While massive retail breaches dominated headlines in 2014, with hacks involving state-sponsored threats coming in a strong second, distributed denial-of-service (DDoS) attacks continued to increase, both in the volume of malicious traffic generated and the size of the organizations falling victim. Recently, both the Sony PlayStation and Xbox Live gaming networks were taken down by Lizard Squad, a hacking group which is adding to the threat landscape by offering for sale a DDoS tool to launch attacks. The Sony and Xbox takedowns proved that no matter how large the entity and network, they can be knocked offline. Even organizations with the proper resources in place to combat these attacks can fall victim. But looking ahead, how large could these attacks become? According to the “Verisign Distributed Denial of Service Trends Report,” covering the third quarter of 2014, the media and entertainment industries were the most targeted during the quarter, and the average attack size was 40 percent larger than those in Q2. A majority of these insidious attacks target the application layer, something the industry should be prepared to see more of in 2015, says Matthew Prince, CEO of CloudFlare, a website performance firm that battled a massive DDoS attack on Spamhaus early last year. Of all the types of DDoS attacks, there’s only one Price describes as the “nastiest.” And, according to the “DNS Security Survey,” commissioned by security firm Cloudmark, more than 75 percent of companies in the U.S. and U.K. experienced at least one DNS attack. Which specific attack leads that category? You guessed it. “What is by far the most evil of the attacks we’ve seen…[are] the rise of massive-scale DNS reflection attacks,” Prince said. By using a DNS infrastructure to attack someone else, these cyber assaults put pressure on DNS resolver networks, which many websites depend on when it comes to their upstream internet service providers (ISP). Believing these attacks are assaults on their own network, many ISPs block sites in order to protect themselves, thus achieving the attacker’s goal, Prince said. By doing so “we effectively balkanize the internet.” As a result, more and more of the resolvers themselves will be provided by large organizations, like Google, OpenDNS or others, says Prince. Source: http://www.scmagazine.com/tidal-waves-of-spoofed-traffic-ddos-attacks/article/393059/

Originally posted here:
Tidal waves of spoofed traffic: DDoS attacks