Monthly Archives: June 2013

Microsoft borks botnet takedown in Citadel snafu

Stupid Redmond kicked over our honeypots, wail white hats Security researchers are complaining about collateral damage from the latest botnet take-down efforts by Microsoft and its partners.…

Read the original:
Microsoft borks botnet takedown in Citadel snafu

EU to vote on stiffer penalties for hackers

Member states of the European Union might soon be creating new laws that will raise minimum prison sentences for convicted cyber attackers and botnet herders. Last week, the European Parliament …

See the original post:
EU to vote on stiffer penalties for hackers

Microsoft Citadel takedown ultimately counterproductive

Last week's disruption of nearly 1500 Citadel botnets believed to be responsible for over half a billion US dollars in financial fraud and affecting more than five million people in 90 countries has b…

Read the original:
Microsoft Citadel takedown ultimately counterproductive

Are DDoS Attacks Against Banks Over?

Distributed-denial-of-service attacks against U.S. banks have been dormant for nearly four weeks, leading security experts to question when and if a new phase of attacks might emerge. The hacktivist group Izz ad-Din al-Qassam Cyber Fighters , which since last September has taken credit for the hits against banks, claimed its attacks were in protest of a YouTube movie trailer deemed offensive to Muslims. But some observers have speculated that Iran was backing the DDoS strikes against banks as payback for cyber-espionage attacks, such as Stuxnet, Flame and Duqu, that have over the last three years affected Iranian computer systems. Rodney Joffe, senior technologist for online security provider Neustar Inc., says the current lull could be a sign that the attacks waged by the hacktivist group are over. “It’s a wild conjecture,” Joffe says. “But we may have seen the end of them.” Joffe says indirect activity linked to the al-Qassam Cyber Fighters’ botnet, known as Brobot, has continued. But there have been no direct attacks. And that lack of activity raises questions about whether al-Qassam will wage any more attacks, Joffe says. “The botnet is no bigger than it was,” he says. “We take [compromised] machines down and then new machines keep getting adding. I still have hope that the government will have some impact or effect, but don’t know one way or the other.” The Federal Bureau of Investigation in April warned that Brobot had been modified, “in an attempt to increase the effectiveness with which the [botnet’s] scripts evade detection.” The FBI said the actors behind Brobot were changing their attack methodology to circumvent mitigation efforts put forth by U.S. banking institutions The FBI also noted that as of April 10, 46 U.S. banking institutions had been targeted by more than 200 separate DDoS attacks of “various degrees of impact” since September. Financial fraud expert Avivah Litan , an analyst at Gartner, says intervention from federal authorities may have spurred al-Qassam to halt its attacks. But, like Joffe, she says there is no way to be sure. “I do know the banks were trying to get the White House to do something politically, and that could be what’s happened.” But other experts, such as Mike Smith of Web security provider Akamai Technologies, don’t think there’s been anything going on behind the scenes to keep the attacks from resuming. Different Attack Actors Other experts anticipate that another group could emerge to resume DDoS attacks against banks if Izz ad-Din al-Qassam Cyber Fighters ends its campaigns. “There has been a lull in the al-Qassam-like attacks,” says Scott Hammack , CEO of DDoS-mitigation provider Prolexic. “But I would definitely not misunderstand this lull as being an end to these types of attacks. The attacks will continue; it’s really just a question of when, not if.” The current break comes after a third phase of hacktivist attacks, which kicked off in March. The latest campaign ran eight weeks, the longest-running so far. The break from the third phase of attacks has lasted four weeks so far. By comparison the break between the first campaign , which began Sept. 18, and the second campaign , which kicked off Dec. 10, lasted six weeks. And the break between the second and third campaigns lasted five weeks. Hammack, like Smith, says Brobot, as well as other botnets, continue to grow. In fact, over Memorial Day weekend, Prolexic helped to mitigate a 167-gigabyte DNS-reflection attack, the largest attack recorded to date, Hammack says. “The attack traffic was global and required us to use all four of our cloud-based scrubbing centers,” he says. DNS-reflection was the attack method used in Operation Stophaus , an attack waged in March by The Spamhaus Project, a Geneva-based not-for-profit organization dedicated to fighting Internet spam. And while it’s not an extremely sophisticated type of attack, Hammack says these types of DDoS strikes are only going to become more prevalent. “There are plenty of countries where rogue elements will continue to exist,” he says. “You’re never going to overcome that. I think, if anything, people should be taking advantage of this down time to fortify their infrastructures.” The application-layer attacks al-Qassam Cyber Fighters favored in its last two campaigns have remained inactive, despite that the group appears to continue efforts to grow and strengthen its botnet. “The botnets are out there,” Hanmmack says. “We have between 15,000 and 100,000 compromised web servers out there that we know of. So the artillery is still out there to create these types of attacks. We just haven’t seen any of the web server attacks for the last 30 days.” Why Have Attacks Stopped So why have the hacktivists remained quiet for the last month? On May 6, al-Qassam Cyber Fighters claimed on the open forum Pastebin that its attacks would cease for just a week, out of respect for OperationUSA , a separate hacktivist movement organized by Anonymous that proved unsuccessful Many experts predicted the group’s attacks against banks would resume by May 14. But they didn’t. Some have speculated that international law enforcement could be close to nailing members of the al-Qassam team. But Hammack says drawing conclusions based on the ebbs and flows of DDoS attacks is dangerous because hacktivists attack in waves. “Certain attacks die down after certain periods,” he says. “That doesn’t mean, though, that the attacks are over.” Banking institution leaders say they’ve been advised by groups such as the Financial Services Information Sharing and Analysis Center not to lessen their DDoS mitigation efforts. Litan says banks are heeding that advice. “The banks have more vendors involved now,” she says. “I don’t think they’ll ever pull back. They have put a lot of systems in. They really can’t go back now, and they shouldn’t.” Source: http://www.bankinfosecurity.com/are-ddos-attacks-against-banks-over-a-5801/op-1

Read More:
Are DDoS Attacks Against Banks Over?

Microsoft and FBI storm ramparts of Citadel botnets

Next: The hunt for evil botnet overlord ‘Aquabox’ The ZeuS-derived Citadel botnet, which rose to public prominence last year, is being progressively disabled by Microsoft and the FBI is on the hunt for its masters.…

Read More:
Microsoft and FBI storm ramparts of Citadel botnets

Possibly related DDoS attacks cause DNS hosting outages

Distributed denial-of-service (DDoS) attacks that could be related have in the past few days slammed the DNS servers of at least three providers of domain name management and DNS hosting services. DNSimple, easyDNS and TPP Wholesale all reported temporary DNS service outages and degradation on Monday, citing DDoS attacks as the reason. In some cases the attacks started a few days ago and are ongoing. TPP Wholesale, a subsidiary of Sydney-based Netregistry, one of Australia’s largest providers of Web hosting, domain management and other online services, alerted its customers through its website on Monday that eight of its DNS servers experienced “unscheduled service interruption.” TPP Wholesale experienced a series of DDoS attacks against its DNS name servers over the past several days, the Netregistry Group Security Team said in a blog post. The company managed to mitigate the DDoS attacks that caused service interruptions throughout Monday by taking “the drastic step” of rate-limiting DNS queries, the team said. Such aggressive filtering is prone to false positives and might result in some customers being denied DNS service. “In the next few days we will continue to whitelist such false positives as we discover them,” the team said. Second wave EasyDNS, a DNS hosting provider based in Toronto, also reported DNS service disruptions caused by a DDoS attack on Monday. “This looks like a larger version of a smaller DDoS yesterday which was possibly a test run,” the company’s CEO Mark Jeftovic said Monday in a blog post. “This DDoS attack is different from our previous ones in that it looks as if the target is us, easyDNS, not one of our clients.” Jeftovic said that it was difficult to differentiate the real traffic from the DDoS traffic, but the company managed to partially mitigate the attack and also published workarounds for affected customers. “This is the ‘nightmare scenario’ for DNS providers, because it is not against a specific domain which we can isolate and mitigate, but it’s against easyDNS itself and it is fairly well constructed,” he said. Third victim Aetrion, based in Malabar, Florida, operates a DNS hosting service called DNSimple, which was also attacked on Monday. According to DNSimple founder Anthony Eden, the DDoS attack is ongoing, but the company managed to mitigate it. “Our authoritative name servers were used as an amplifier for an attack against a third-party network,” Eden said Tuesday via email. “The attacker essentially flooded us with ‘ANY’ queries for a variety of domains managed by our DNS service, with the intention of amplifying these small queries into significantly larger responses aimed at a specific network.” This attack technique is known as DNS reflection or DNS amplification. It involves sending queries with a spoofed source IP (Internet Protocol) address—usually the victim’s address—to DNS servers from a large number of computers in order to trigger long responses to be sent by those servers to victim’s IP address within a short time window. If enough computers and DNS servers are used, the resulting rogue DNS traffic will exhaust the victim’s available Internet bandwidth. The DNS reflection technique has been known for a long time. However, its recent use to launch DDoS attacks of unprecedented scale, like the one in March that targeted a spam-fighting organization called Spamhaus, has likely brought it renewed interest from attackers. The attack experienced by DNSimple on Monday was significantly larger in volume and duration than other attacks that hit the company’s name servers in the past, Eden said. He believes that the attack is related to the ones experienced by easyDNS and TPP Wholesale. “The pattern displayed on TPP Wholesale’s blog is similar to what we see, and we have been communicating with easyDNS and find similarities between the attacks.” EasyDNS and TPP Wholesale did not immediately respond to inquiries seeking more information about the recent attacks against their servers and confirmation that they were using DNS reflection techniques. Attack and abuse reports on the increase It’s possible that DNS servers operated by other companies were also affected by this attack, Eden said. “A DNS provider will have a significantly higher number of customers and thus the attacks get noticed much sooner because it affects a larger group of people,” he said. DNSimple’s authoritative name servers were used to amplify a DDoS attack directed at a server hosting company called Sharktech or one of its customers, Eden said. Sharktech has noticed a surge of abuse reports in the past 24 hours coming from ISPs and hosting companies complaining about DDoS attacks against their DNS servers that appear to originate from Sharktech, said Tim Timrawi, president and CEO of Sharktech, via email. Upon further investigation the company determined that these reports were actually the result of a DNS amplification attack against its own customers that abused the authoritative DNS servers of those companies, he said. Most of the affected DNS servers were secured properly and were being queried for domains they are responsible for, Timrawi said. “Unlike previous DNS Amplification Attacks in which the attacker used open recursive DNS servers, in this one, the attacker is collecting all the DNS servers they can find and sending MX (and other kind of queries) to them for their domain records with a spoofed source of the target host,” he said. The amplified DDoS attack targeting Sharktech customers was larger than 40Gbps, Timrawi said. “We are unaware of the reason behind the attacks,” he said. The abuse of authoritative name servers in DNS reflection attacks is not very common because attackers need to know the exact domain names that each abused server is responsible for, said Carlos Morales, vice president of sales engineering and operations at DDoS mitigation provider Arbor Networks. Obtaining this information is not very hard, but it does require additional work compared to abusing open DNS resolvers, and attackers usually prefer the easiest route to reach their goals, he said. Open DNS resolvers are recursive DNS servers that are configured to accept queries from any computers on the Internet. These act as relays between users and authoritative DNS servers; they receive queries for any domain name, find the authoritative name server responsible for it and relay the information obtained from that server back to the user. Meanwhile, authoritative name servers, like those operated by DNSimple, easyDNS and TPP Wholesale, will only respond to queries concerning the domain names they serve. Well-prepared attackers The extra work required to target such servers suggests that the attackers behind the recent attacks on these DNS hosting providers were well prepared and did their homework in advance, Morales said. One mitigation against this kind of attack is to configure the DNS server software to force all “ANY” queries sent over UDP (User Datagram Protocol) to be resent over TCP (Transmission Control Protocol) instead, Eden said. This can be done by sending a UDP response with the TC bit set and an empty answer section. A legitimate DNS client will retry over TCP, while a bogus client will get no benefit, he said. In the case of open resolvers, the problem can be mitigated by restricting which IP addresses are allowed to query them, said Morales. For example, an ISP operating a DNS resolver for its customers can restrict its use to only IP addresses from its network, he said. However, this kind of mitigation is not applicable to authoritative name servers because they are meant to be queried by anyone on the Internet who wants to get information about the specific domain names served by them, Morales said. The mitigation described by Eden is very good and is actually one that Arbor also uses to protect authoritative name servers, he said. Another mitigation is to enforce a query rate limit for source IP addresses, he said. Source: http://www.pcworld.com/article/2040766/possibly-related-ddos-attacks-cause-dns-hosting-outages.html

View original post here:
Possibly related DDoS attacks cause DNS hosting outages

Spamhaus-style DDoS attacks: All the hackers are doing it

‘All you need is 10 lines of code and a lot of patience’ Hackers are increasingly turning to DNS reflection to amplify the volume of distributed denial of service (DDoS) attacks.…

View original post here:
Spamhaus-style DDoS attacks: All the hackers are doing it

Turkish gov’t websites hacked by Anonymous

A group of computer hackers known as Anonymous carried out early on Monday a series of cyberattacks on Turkish government websites in retaliation for violent police response to anti-government protests. Several Anonymous messages in its Twitter blog provide links to the sites, including those of President Turkish President Abdullah Gul and Turkey’s ruling Justice and Development Party, that have been denied public access. Hackers normally use distributed denial of service (DDoS) attacks to knock their targets offline. Turkey’s Hürriyet Daily News reported on Monday that some Turkish media websites have also been targeted by Anonymous for “for failing to adequately cover the events.” The planned demolition of Gezi Park in central Istanbul sparked mass rallies in the city on Saturday, prompting police to use tear gas and water cannons to disperse the protesters. Violent clashes between protesters and police continued in Istanbul and the capital, Ankara, on Sunday. The rally in Istanbul triggered more than 230 separate protests in 67 cities across the country, according to Sky News. Turkey’s Interior Minister Muammer Guler said on Sunday that more than 1,700 people had been arrested in the unrest nationwide, adding that 58 civilians and 115 security officers had been injured over several days of protests. The United States and the European Union and have already urged the Turkish government to exercise restraint, while Amnesty International has condemned the use of tear gas by Turkish police as “a breach of international human rights standards.” Anonymous declares Internet attacks in support of Turkish protests Anonymous vows to kick off a worldwide action which will “bring the Turkish government to its knees.” With #opTurkey, the hacktivist collective plans to “attack every Internet and communications asset of the Turkish government.” Anonymous claims to have taken down several websites across Turkey, targeting municipal governments in Mersin and Izmir as well the Gebze Institute of Technology. Source: http://www.turkishweekly.net/news/151067/turkish-gov-39-t-websites-hacked-by-anonymous.html

Continued here:
Turkish gov’t websites hacked by Anonymous