Monthly Archives: January 2015

BitTorrent’s Project Maelstrom will host websites in torrents

When you enter a URL and hit enter, your computer reaches out to a server someplace in the world to access a website. Sometimes a site is stored on a few servers for redundancy or load balancing, but the model is functionally the same. BitTorrent, the company behind the popular file sharing protocol, is looking to change the way websites are hosted by keeping the data not on a centralized server, but on the home computers of users. These sites would be split up into pieces just like a file shared via a torrent. BitTorrent calls this system Project Maelstrom, and it’s getting very close to reality. Project Maelstrom is built on a modified version of Chromium, the open source project that backs Google’s Chrome browser. If we extend the file sharing analogy to Project Maelstrom, the modified browser is basically your torrent client. You enter a web address, and the browser connects to a “swarm” of users already accessing the site who have pieces of it ready to send over. These bits are assembled into the final product and displayed normally. If it works as intended, you won’t notice a difference in the functionality of these sites. The torrent browser is going to be able to access regular web pages via the internet, but it’s mainly for these so-called torrent web pages. One of the main advantages here will be scalability that surpasses anything we have today on traditional server infrastructure. When a site gets hit by a lot of traffic, a server has to devote more and more bandwidth to serving content, which can easily saturate the pipes. In the case of a distributed denial of service attack (DDoS), a website can be knocked offline for hours or days. A torrent web page should actually become more reliable as it is accessed more. More seeds means more speed and accessibility.   One notable drawback to Project Maelstrom would be the relative difficulty in keeping very new or unpopular sites online. When a new torrent web page is created, there is only one source for the data, probably with nowhere near the power of a dedicated web server. So the creator is the first seed, the next person to visit is the second seed, but the third person then has two sources to download from, then becoming the third seed. It’s just like a torrent — it can get stupid-fast when there are enough seeds. The decentralized nature of Project Maelstrom would also make it nearly impossible to take down a website as long as users kept seeding it. Seems like a perfect match for The Pirate Bay, right? This platform would present ethical issues, of course. What if a legitimately terrible or illegal site were hosted in Maelstrom? There might not be any way to take it down. This is something law enforcement already deals with on Tor, but Project Maelstrom has the potential to be much faster and easier to use. Still, BitTorrent thinks content providers will get on board with Maelstrom as a way to reduce costs. For example, if Netflix can detect when a user is connecting through a Maelstrom-enabled browser, it could save money by serving video content through a swarm of multiple users, rather than pushing separate streams out to everyone individually. It would be like a content delivery network on steroids. BitTorrent is going to find out if Maelstrom will be used for good or evil soon. A consumer version is expected this year.   Source: http://www.extremetech.com/internet/198578-bittorrents-project-maelstrom-will-host-websites-in-torrents

View article:
BitTorrent’s Project Maelstrom will host websites in torrents

Latest Lizard Squad hack shows increasing strength of DDoS attacks

Bill Barry, executive vice president, Nexusguard, has prepared a comment in light of the recent Lizard Squad hack on Taylor Swift’s Twitter account: “The hack on Taylor Swift proves that the Lizard Squad has another string to its bow, having previously used DDoS attacks to bring down the Sony Playstation, Microsoft Xbox and Malaysian Airlines systems rather than infiltrating them. “It’s time for businesses and brands to realise the multi-faceted security threats presented by sophisticated cyber criminals. “The DDoS for hire space has become so lucrative that these mayhem-for-sport acts of hacking  a celebrity Twitter account is a way to build brand recognition and raise awareness that anyone, anywhere could be the victim of cyber attacks. “This heightened market awareness becomes a dangerous marketing engine to allow anyone with a slight motive to launch their own attacks at intended targets. “Using this tactic has meant that in a short time over 14,000 customers have signed up to use the Lizardstresser DDoS tool. “The Lizard Squad has proved, if nothing else, that DDoS attacks are becoming more effective. The methods used by DDoS networks to locate vulnerabilities within security systems are more sophisticated and automated. “Leveraging zero-day and zero-plus vulnerabilities in unprotected networks means that they are able to recruit and add infected computers to their attack army at an ever-alarming rate. “This increased rate of botnet recruitment not only gives the attacker a flexible arsenal of attacks for causing mayhem, but increases the overall effectiveness and success rate of each attack. “Imagine the leverage a group such as The Lizard Squad could gain by bringing down a betting website on Grand National Day, for example. “The best way to guard against zero-plus attacks to is to always be vigilant and proactively try to identify vulnerabilities and weaknesses in your system before the attackers do. For an enterprise,  this may mean compiling rules and guidelines on which online applications are approved for use, and implementing proactive monitoring at an application level to detect abnormalities as early as possible. “However, this is just the first layer of total protection – an effective defence requires in-depth, tailored implementation, not a one-size-fits-all mitigation solution. “With multi-vector attacks, all avenues of attack must be detected and mitigated. For example, sophisticated attackers like the Lizard Squad may be using a mixture of DDoS and hacking – no off-the-shelf product is likely to deal with such an approach effectively. “Best practice is to seek the guidance of a security specialist that can design and customise a solution specific to your business.” Source: http://www.itproportal.com/2015/01/30/latest-lizard-squad-hack-shows-increasing-strength-ddos-attacks/

View original post here:
Latest Lizard Squad hack shows increasing strength of DDoS attacks

Nearly half of all DDoS attacks uses multiple attack vectors

Akamai released a new security report that provides analysis and insight into the global attack threat landscape including DDoS attacks. Akamai observed a 52 percent increase in average peak band…

More:
Nearly half of all DDoS attacks uses multiple attack vectors

Nearly half of all DDoS attacks use multiple attack vectors

Akamai released a new security report that provides analysis and insight into the global attack threat landscape including DDoS attacks. Akamai observed a 52 percent increase in average peak band…

See original article:
Nearly half of all DDoS attacks use multiple attack vectors

We take bots down, but they get up again – you’re never going to keep them down

Dell analysis shows ZeroAccess botnet still slinging out A combined attack on one of the world’s biggest networks of infected PCs has been partially successful: analysis from Dell SecureWorks shows you can’t keep a bad botnet down.…

View post:
We take bots down, but they get up again – you’re never going to keep them down

How much can a DDoS attack cost your organization?

A DDoS attack on a company’s online resources might cause considerable losses – with average figures ranging from $52,000 to $444,000 depending on the size of the company. For many organizations, thes…

View article:
How much can a DDoS attack cost your organization?

A new kind of DDoS threat: The “Nonsense Name” attack

There’s a new species of Distributed Denial of Service (DDoS) attack targeting name servers, which could be called the “nonsense name” attack. It can wreak havoc on recursive and authoritative name servers alike, and some of our customers at Infoblox have fallen victim to it—but it’s not always clear whether they were actually the targets. The “nonsense name” DDoS attack works like this: –  An attacker chooses a zone to attack, say foo.example . –  A botnet controlled by the attacker generates random domain names in the zone, with nonsense-first labels, such as asdfghjk.foo.example and zxcvbnm.foo.example . –  The bots send many queries for those domain names to recursive name servers. –  Those recursive name servers, in turn, send queries to foo.example ’s authoritative name servers for those domain names. –  The authoritative name servers send responses saying that the domain names in question don’t exist (in the DNS business, what’s called an NXDOMAIN response). –  The recursive name servers relay that response to the original querier and cache the non-existence of the domain name. –  Lather, rinse, repeat. If the attacker can generate queries quickly enough, the aggregate query rate will overwhelm the foo.example name servers. That’s when the fun really starts: –  The bots continue sending queries for the generated domain names to recursive name servers. –  Now that the authoritative name servers have stopped responding, the recursive name servers take much longer to process each query. In the case of the BIND name server, the name server can wait 30 seconds and send dozens of (unanswered) queries before giving up. –  This uses up recursive query slots on the recursive name server, which eventually runs out, denying additional recursive queries—some of them legitimate. When this happens, a BIND name server sends a message like the following to syslog : Jan 21 14:44:00 ns1 named[4242]: client 192.168.0.1#1110: no more recursive clients: quota reached At that point, the name server will refuse additional recursive queries, denying service to clients. Who’s the target? In most cases, the organization running the authoritative name servers (in this example, those for foo.examp le ) seems to bethe target. For example, some of the domain names in attacks we’ve seen are used by Chinese gambling sites. (Maybe someone is trying to exact revenge on the house for some tough losses?) However, the recursive name servers involved end up as collateral damage in the attack. Could they have actually been the targets? We’ve seen some evidence of this. Some of the zones involved in attacks against our customers have mysteriously disappeared a day or two after the attack, indicating that they likely weren’t in active use (and in fact were probably registered in a “Domain Tasting” scheme). The attackers could have deliberately registered these zones with slow or unresponsive name servers, so that resolution of domain names in the zone would take as long as possible. Of course, regardless of the target, the mechanism behind the attack remains exactly the same. Mitigation Generally speaking, you’d notice a nonsense name attack when your recursive name server starts running out of recursive query slots, as evidenced by the syslog message earlier. These messages provide the IP addresses of the queriers denied access by the lack of slots. First, ask yourself whether the IP addresses in the messages are addresses your name server should be serving. If not, you may be able to simply configure your name server with an access control list to restrict queries to authorized queriers. If the malicious queries are coming from legitimate IP addresses, clearly you’ll need to use another mechanism. One possibility is to use BIND’s very handy Response Policy Zones feature to temporarily prevent your name server from sending queries for the troublesome zone. An RPZ rule to prevent your name server from looking up foo.example domain names could be as simple as: *.foo.example.your.rpz.zone.         IN        CNAME            . You also need to set an option called qname-wa it-recurse to no ( for more information on these options click here). This will cause your name server to respond to queries for domain names in foo.example with NXDOMAIN without querying the foo.example name servers. If your recursive name servers don’t run BIND 9.10 yet (the first version of BIND that supports this option), or don’t run BIND at all, you can still temporarily set up an empty foo.example zone to prevent your name server from trying to look up data in the misbehaving one. The zone data file would be minimal: @        IN        SOA     ns1      root     2015010700 1h 15m 30d 10m IN        NS       ns1 Configure your recursive name server as authoritative for the zone—an exercise left to the reader—and it’ll simply answer most queries for foo.example domain names with NXDOMAIN (except queries for foo.example ’s SOA or NS record, obviously). Just remember that the RPZ rules or zone configuration is temporary. After the attack ends, you’ll need to remove them to be able to resolve domain names in the zone again. The good folks at the Internet Systems Consortium, who develop the BIND name server, are also working on new mechanisms to address the issue more subtly, by introducing two new configuration options: fetches-per-server and fetches-per-zone . Fetches-per-server places a limit on the number of concurrent queries a recursive name server can have outstanding to a single authoritative name server. The imposed limit is actually dynamic, and adjusted downward based on timeouts experienced when querying the authoritative name server. Fetches-per-zone places a limit on the number of concurrent queries a recursive name server can have outstanding for a single zone. Between these two features, administrators should be able to reduce the chance that their BIND name servers will be victims—inadvertent or not—of nonsense name DDoS attacks like these. Source: http://www.networkworld.com/article/2875970/network-security/a-new-kind-of-ddos-threat-the-nonsense-name-attack.html        

More:
A new kind of DDoS threat: The “Nonsense Name” attack

Facebook downtime was due to server fault, not DDoS attack

Unless you were living under a rock or had something better to do than check Facebook every single minute, you would have realised that both Facebook and Instagram was down for many people. However, despite claims that it was due to a DDoS attack, Facebook has said that the outage was because of a server fault. “This was not the result of a third-party attack but instead occurred after we introduced a change that affected our configuration systems,” Facebook said in a statement to the ABC. “Both services are back to 100 per cent for everyone.” Other services that also suffered an outage were Tinder and HipChat – both are now accessible at the time of writing. While Tinder hasn’t confirmed what caused the outage, HipChat has suggested that it was a database error. Facebook’s explanation is different to what Lizard Squad, known for their high-profile DDoS attacks on PlayStation Network and Xbox Live, recently posted on Twitter. A post suggested that they did a DDoS attack to take Facebook down. Another news organisation has casted doubt on Facebook’s explanation, citing a screenshot of IP Viking as evidence. IP Viking is a website maintained by security company Norse and displays cyberattacks in real-time. However, that does not necessarily proof that Facebook was taken down by a DDoS attack by attackers. IP Viking only tracks cyberattacks on Norse’s honeypot servers only – which emulate vulnerable servers to gather intelligence on attackers, such as IP addresses. While Facebook might have data centres in particular city, so do many other companies – like Norse. So, unless something drastic happens – like a massive data dump of personal information – to prove otherwise, then the outage was just a system change gone wrong. Source: http://techgeek.com.au/2015/01/27/facebook-downtime-due-server-fault-not-ddos-attack/

Read the article:
Facebook downtime was due to server fault, not DDoS attack

Great Firewall of China blasts DDoS attacks at random IP addresses

An upgrade to China’s Great Firewall is having knock-on effects all over the internet, with seemingly random sites experiencing massive traffic spikes. One site owner in North Carolina, Craig Hockenberry, has written up how, after he looked into why his mail server was down, he found 52Mbps of search traffic piling into his system: 13,000 requests per second, or roughly a third of Google’s search traffic. The post goes into some detail over howHockenberry managed to deal with the firehose-blast of requests, all of it coming from China and much of it trying to find Bittorrents or reach Facebook. Short version: he blocked all of China’s IP blocks. Hockenberry is not the only one dealing with a sudden flood of requests, though. There are numerous reports of sysadmins finding that their IP address has appeared in front of the headlights of the Chinese government’s censorship juggernaut, causing them to fall over and forcing them to introduce blocking measures to get back online. After a number of different theories about what was happening, including focussed DDoS attacks and “foreign hackers” – that suggestion courtesy of the Chinese government itself – the overall conclusion of the technical community is that bugs have been introduced into China’s firewall. Particularly, something seems to have gone wrong in how it uses DNS cache poisoning to redirect users away from sites the government doesn’t want them to see. Poison China uses a weak spot of the DNS system to intercept requests coming into and going out of the country. If it spots something it doesn’t like – such as a request for “facebook.com” or “twitter.com” – it redirects that request to a different IP address. For a long while, China simply sent these requests into the ether – i.e. to IP addresses that don’t exist, which has the effect of causing the requests to time out. However, possibly in order to analyze the traffic more, the country has started sending requests to IP addresses used by real servers. Unfortunately, it seems that there have been some configuration mishaps and the wrong IP addresses have been entered. When one wrong number means that a server on the other side of the world suddenly gets hits with the full stream of millions of Chinese users requesting information, well then … that server falls over. The situation has had a broader impact within China. Tens of millions of users weren’t able to access the Web while the government scrambled to fix the problem. According to one Chinese anti-virus vendor, Qihoo 360, two-thirds of Chinese websites were caught up in the mess. China’s DNS infrastructure experts started pointing the finger at unknown assailants outside its system. “The industry needs to give more attention to prevent stronger DNS-related attacks,” said Li Xiaodong, executive director of China’s Internet Network Information Center (CNNIC). Your own medicine The reality, however, is that China has seen the downside to its efforts to reconfigure the basic underpinnings of the domain name system to meet political ends. The network is designed to be widely distributed and route around anything that prevents effective communication. By setting itself up as a bottleneck – and an increasingly huge bottleneck as more and more Chinese users get online – the Chinese government is making itself a single point of failure. The slightest error in its configurations will blast traffic in uncertain directions as well as cut off its own users from the internet. For years, experts have been warning about the “balkanization” of the internet, where governments impose greater and greater constraints within their borders and end up effectively breaking up the global internet. What has not been covered in much detail is the downside to the countries themselves if they try to control their users’ requests, yet make mistakes. Source: http://www.theregister.co.uk/2015/01/26/great_firewall_of_china_ddos_bug/

View article:
Great Firewall of China blasts DDoS attacks at random IP addresses