Monthly Archives: June 2016

Chinese Gambling Company Was Target of a Nine-Vector 470 Gbps DDoS Attack

The attack also reached 110 million packets per second On June 14, a Chinese gambling company was unlucky enough to be at the end of a complex multi-vector DDoS attack that blasted over 470 gigabits per second (Gbps) and over 110 million packets per second (Mpps) at its servers. The attack came after the company had already faced multiple 250+ Gbps attacks in the previous days. The good news is that this 470 Gbps attack only lasted four hours and was deflected by the company’s DDoS mitigation service. Nine-vector DDoS attacks are rare Even if short, the attack itself was extremely complex, with the crooks utilizing nine different attack vectors. Compared to data from the first quarter of 2016, nine-vector DDoS attacks are extremely rare and happen once every 500 attacks (0.2% of all attacks). This particular attack started with a basic network-level assault that wanted to suffocate the network with large amounts of data. It first blasted SYN payloads, then generic TCP and UDP data packets. From the get-go, the attack was different from all the previous attacks, throwing over 300 Gbps at its target from its initial seconds, before growing bigger to reach its peak value. Attack evolved from network to application level Midway through the attack, the crooks completely changed tactics. They stopped the network-level attack and shifted to an application layer DDoS, during which attackers send packets of a smaller size, but in larger numbers to occupy the memory of the receiving servers. Incapsula, the company that was providing DDoS mitigation, said that in Q1 2016, it regularly mitigated application layer 50+ Mpps DDoS attacks every four days, and 80+ Mpps attacks every eight days. Even if this attack exceeded 110 Mpps, the company was able to mitigate the threat. The combination of all these vectors makes this one of the most complex attacks the company saw. In fact, Incapsula said this was the biggest DDoS attack it mitigated in terms of sheer size (470 Gbps) in its entire history. “On a technical level we want to make clear that there isn’t much difference in mitigating 300, 400, or 500 Gbps network layer attacks,” Incapsula’s Igal Zeifman and Ofer Gayer explain. “They’re similar threats, each dealt with in a similar manner. Large attack waves aren’t more dangerous than smaller ones. All you need is a bigger boat.” Source: http://news.softpedia.com/news/chinese-gambling-company-was-target-of-a-nine-vector-470-gbps-ddos-attack-505850.shtml#ixzz4D57R4eWd

Read More:
Chinese Gambling Company Was Target of a Nine-Vector 470 Gbps DDoS Attack

There Are over 100 DDoS Botnets Based on Lizard Squad’s LizardStresser

While most of Lizard Squad’s first members are in jail or hiding and hoping that law enforcement won’t come knocking on their door, the group continues to live on through new members, new attacks, but also through the LizardStresser toolkit, which they leaked online at the start of 2015. The toolkit was heavily forked and adapted, as many other hacking groups sought to use it to create their own botnets to use for DDoS attacks, either just to annoy people, extort companies or hacktivism activities. LizardStresser is geared towards infecting IoT devices Arbor Networks says that LizardStresser is not extremely complicated, and is nothing more than a DDoS attack toolkit that uses the ancient IRC protocol to communicate between the C&C server and the client-side component. Because LizardStresser is coded in C and designed to run on Linux architectures, Arbor Networks says that a lot of groups that are deploying new LizardStresser instances are taking advantage of unsecured IoT devices running on platforms such as x86, ARM, and MIPS, where a stripped-down Linux version is the preferred OS. We touched on this topic last year when Lizard Squad’s new members were having trouble with their own botnet after unknown security researchers were trying to hijack some of these infected IoT systems. Webcams make the bulk of the LizardStresser-based botnets According to Arbor Networks, most of these infected IoT devices are Internet-connected webcams, accessible through a page broadcasting the “NETSurveillance WEB” title, and using their default access passwords. In a DDoS attack of over 400 Gbps aimed at a gaming site, Arbor says that 90% of the bots that participated in the attack were these type of webcams. The DDoS attacks are extremely simple and don’t even use traffic amplification/reflection techniques. LizardStresser was created to launch direct DDoS attacks, meaning the bots send UDP or TCP floods directly to the target. LizardStresser launches direct DDoS attacks, no protocol amplification Because of the massive amount of unsecured IoT devices, groups that use LizardStresser can launch massive DDoS attacks, previously thought to be unachievable without UDP-based amplification protocols such as NTP or SNMP. Furthermore, LizardStresser also includes a telnet brute-forcing feature that’s used to test new devices for default passwords and inform the C&C server about possible new victims. All of these make features make LizardStresser a popular choice when hacking outfits and hacktivism groups are looking for tools to build or broaden their DDoS capabilities. Overall, there’s a growing trend in terms of hacking groups adopting LizardStresser. “LizardStresser is becoming the botnet-du-jour for IOT devices given how easy it is for threat actors to make minor tweaks to telnet scanning,” says Matthew Bing of Arbor Networks. “With minimal reseach [sic] into IOT device default passwords, they are able to enlist an exclusive group of victims into their botnets.” Number of C&C servers using LizardStresser in 2016 Source: http://news.softpedia.com/news/there-are-over-100-ddos-botnets-based-on-lizard-squad-s-lizardstresser-505816.shtml#ixzz4D0b6wPkw

See the article here:
There Are over 100 DDoS Botnets Based on Lizard Squad’s LizardStresser

The Network Ops DDoS Playbook

With the prevalence of DDoS attacks, good preparation and planning can go a long way toward making the DDoS response process as manageable, painless, and inexpensive as possible. The Network Ops DDoS Playbook is a guide focused on how to prepare yourself against a DDoS attack on your business and what to do if you are under attack. You’ll find practical tips, best practices and an overview of the cyber security technologies available to protect … More ?

See more here:
The Network Ops DDoS Playbook

25,000-strong CCTV botnet used for crippling DDoS attacks

A DDoS attack against a jewelry shop website has lead researchers to the discovery of a CCTV botnet comprised of some 25,000 cameras from around the globe. The website had been repeatedly attacked, first with 35,000 HTTP requests per second and then, when those efforts were thwarted, with 50,000 HTTP requests per second. Looking into the IP addresses from which the attack was coming from, Sucuri researchers discovered that all of them were running the … More ?

See more here:
25,000-strong CCTV botnet used for crippling DDoS attacks

A Massive Botnet of CCTV Cameras Involved in Ferocious DDoS Attacks

All clues lead back to Chinese DVR vendor TVT A botnet of over 25,000 bots lies at the heart of recent DDoS attacks that are ferociously targeting business around the world. More exactly, we’re talking about massive Layer 7 DDoS attacks that are overwhelming Web servers, occupying their resources and eventually crashing websites. US-based security vendor Sucuri discovered this botnet, very active in the last few weeks, and they say it’s mainly composed of compromised CCTV systems from around the world. Their first meeting with the botnet came when a jewelry shop that was facing a prolonged DDoS attack opted to move their website behind Sucuri’s main product, its WAF (Web Application Firewall). Botnet can crank out attacks of 50,000 HTTP requests per second Sucuri thought they had this one covered, just as other cases where companies that move their sites behind their WAF block the attacks, and eventually the attacker moves on to other targets. Instead, they were in for a surprise. While the initial attack was a Layer 7 DDoS with over 35,000 HTTP requests per second hitting the server and occupying its memory with garbage traffic, as soon as the attackers saw the company upgrade their website, they quickly ramped up the attack to 50,000 requests. For Layer 7 attacks, this is an extraordinarily large number, enough to drive any server into the ground. But this wasn’t it. The attackers continued their assault at this high level for days. Botnet’s nature allowed attacks to carry out attacks at higher volumes Usually, DDoS attacks flutter as the bots come online or go offline. The fact that attackers sustained this high level meant their bots were always active, always online. Sucuri’s research into the incident discovered over 25,513 unique IP addresses from where the attacks came. Some of these were IPv6 addresses. The IPs were spread all over the world, and they weren’t originating from malware-infected PCs, but from CCTV systems. Taiwan accounted for a quarter of all compromised IPs, followed by the US, Indonesia, Mexico, and Malaysia. In total, the compromised CCTV systems were located in 105 countries. Top 10 locations of botnet’s IPs The unpatched TVT firmware comes back to haunt us all Of these IPs, 46 percent were assigned to CCTV systems running on the obscure and generic H.264 DVR brand. Other compromised systems were ProvisionISR, Qsee, QuesTek, TechnoMate, LCT CCTV, Capture CCTV, Elvox, Novus, or MagTec CCTV. Sucuri says that all these devices might be linked to Rotem Kerner’s investigation, which discovered a backdoor in the firmware of 70 different CCTV DVR vendors . These companies had bought unbranded DVRs from Chinese firm TVT. When informed of the firmware issues, TVT ignored the researcher, and the issues were never fixed, leading to crooks creating this huge botnet. This is not the first CCTV-based botnet used for DDoS attacks. Incapsula detected a similar botnet last October. The botnet they discovered was far smaller, made up of only 900 bots . Source: http://news.softpedia.com/news/a-massive-botnet-of-cctv-cameras-involved-in-ferocious-ddos-attacks-505722.shtml#ixzz4CsbxFc4A

Read More:
A Massive Botnet of CCTV Cameras Involved in Ferocious DDoS Attacks

Botnet-powered ballot stuffing suspected in 2nd referendum petition

‘Tiny fraction of the overall count’ however A petition for a second EU referendum in the UK has been hit by suspicions of computer automated ballot stuffing, possibly by politically motivated hackers.…

View article:
Botnet-powered ballot stuffing suspected in 2nd referendum petition

Inside the World of the Dark DDoS

This isn’t your grandma’s DDoS Today’s distributed denial of service attacks are different than the kinds that we saw at the dawn of the millennium when the threat emerged. They’re becoming more nuanced, and subtle – and they could result in a lot more than a downed web server.…

View article:
Inside the World of the Dark DDoS

Godless Android malware offers serious firepower to a botnet herder

One of the most concerning characteristics of the Godless malware is the ability to receive remote instructions on which app to download and install on mobile devices, without the user’s knowledge. This is called command and control (C&C). Being a DDoS subject matter expert, I believe this has the makings of something more insidious than malicious ads. Nearly one million infected Android devices connected to 4G LTE networks offers some serious firepower for a botnet … More ?

Visit site:
Godless Android malware offers serious firepower to a botnet herder

Anonymous Legion claims attack on Minnesota courts website

The international activist hacker group Anonymous Legion is claiming responsibility for an attack on the Minnesota Judicial Branch’s website that rendered it unusable for most of Wednesday. State officials became aware of the “distributed denial-of-service” (DDoS) attack about 8 a.m. Wednesday, around the same time Anonymous Legion e-mailed the Star Tribune. “Servers have also been penetrated and data has been secured, contrary to what they will tell you,” said Anonymous Legion’s e-mail. “This will occur frequently.” The group said the act was executed “collectively, through a global attack.” It is known for DDOS attacks on government websites, among others. The attack is similar to ones that interrupted the site last December. Last year’s attacks were traced to Asia and Canada. The state did not say Wednesday whether the attacks may be linked. “We are in the process of communicating with the FBI Cyber Task Force about this incident,” Beau Berentson, a spokesman for the state court administration office, said in a written statement. The website (www.mncourts.gov), visited by thousands every day looking to access court resources and information, was taken offline as the attack was investigated. Access to the site was restored around 5:15 p.m. “We have no evidence that any secure data has been inappropriately accessed,” Berentson said. Other online resources linked through the website are still functioning, including eFiling and eService, the Court Payment Center and remote access to district and appellate court records. The website was down for several hours from Dec. 21 to 31 in the previous attacks. “In a DDOS attack, an outside entity attempts to overwhelm an online resource with so much network traffic that it is no longer accessible to legitimate users,” State Court Administrator Jeff Shorba said in a January statement about last year’s attacks. “During these attacks, the Minnesota Judicial Branch did not experience any form of data breach or inappropriate access to court records, nor is there any evidence to suggest that the attackers attempted to gain access to Judicial Branch records or information.” Those attacks were reported to the federal government and Canadian authorities. “DDoS attacks are becoming increasingly common against high-profile websites in both the public and private sectors,” Shorba said in January. “While we cannot prevent these attacks from being launched, the Minnesota Judicial Branch is now better prepared to respond to these types of attacks in the future.” Source: http://www.startribune.com/minnesota-courts-website-attacked-again-by-hackers/384003231/

Continue Reading:
Anonymous Legion claims attack on Minnesota courts website