Monthly Archives: October 2016

DDoS attack that disrupted internet was largest of its kind in history, experts say

Dyn, the victim of last week’s denial of service attack, said it was orchestrated using a weapon called the Mirai botnet as the ‘primary source of malicious attack’ The cyber-attack that brought down much of America’s internet last week was caused by a new weapon called the Mirai botnet and was likely the largest of its kind in history, experts said. The victim was the servers of Dyn, a company that controls much of the internet’s domain name system (DNS) infrastructure. It was hit on 21 October and remained under sustained assault for most of the day, bringing down sites including Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe and the US. The cause of the outage was a distributed denial of service (DDoS) attack, in which a network of computers infected with special malware, known as a “botnet”, are coordinated into bombarding a server with traffic until it collapses under the strain. What makes it interesting is that the attack was orchestrated using a weapon called the Mirai botnet. According to a blogpost by Dyn published on Wednesday, Mirai was the “primary source of malicious attack traffic”. Unlike other botnets, which are typically made up of computers, the Mirai botnet is largely made up of so-called “internet of things” (IoT) devices such as digital cameras and DVR players. Because it has so many internet-connected devices to choose from, attacks from Mirai are much larger than what most DDoS attacks could previously achieve. Dyn estimated that the attack had involved “100,000 malicious endpoints”, and the company, which is still investigating the attack, said there had been reports of an extraordinary attack strength of 1.2Tbps. To put that into perspective, if those reports are true, that would make the 21 October attack roughly twice as powerful as any similar attack on record. David Fidler, adjunct senior fellow for cybersecurity at the Council on Foreign Relations, said he couldn’t recall a DDoS attack even half as big as the one that hit Dyn. Mirai was also used in an attack on the information security blog Krebs on Security, run by the former Washington Post journalist Brian Krebs, in September. That one topped out at 665 Gbps. “We have a serious problem with the cyber insecurity of IoT devices and no real strategy to combat it,” Fidler said. “The IoT insecurity problem was exploited on this significant scale by a non-state group, according to initial reports from government agencies and other experts about who or what was responsible. “Imagine what a well-resourced state actor could do with insecure IOT devices,” he added. According to Joe Weiss, the managing partner at the cybersecurity firm Applied Control Solutions and the author of Protecting Industrial Control Systems from Electronic Threats, it is hard to know what Mirai could become. “A lot of these cyber-attacks start out as one particular type of attack and then they morph into something new or different,” he said. “A lot of this is modular software. “I can’t speak for anyone else,” Weiss continued. “[But] I don’t know that we really understand what the endgame is.” Source: https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet

Original post:
DDoS attack that disrupted internet was largest of its kind in history, experts say

Chinese Firm Defends Webcam Security After DDoS Attacks

Hangzhou Xiongmai Technology says devices sold in the US before April 2015 will be recalled after attack on Dyn servers. China’s Hangzhou Xiongmai Technology, which has issued a recall for thousands of webcams sold in the US that were used in a massive distributed denial of service (DDoS) attack on the servers of US-based internet company Dyn, said the hacks occurred because customers didn’t change the default password, according to the AP. The attack, which in part came through devices with Xiongmai components, briefly cut access to many sites including Twitter, Netflix, Amazon, and Spotify. Xiongmai’s Liu Yuexin told AP the company did its best to secure the devices. The company, he added, came to know of the weakness in its webcams and digital recorders in April 2015 and had patched the flaws. Vulnerabilities in devices by Xiongmai and video surveillance maker Dahua first came to light after an attack on the website of cybersecurity writer Brian Krebs and has highlighted concerns of security risks from interconnected consumer gadgets. Source: http://www.darkreading.com/attacks-breaches/chinese-firm-defends-webcam-security-after-ddos-attacks/d/d-id/1327298

See more here:
Chinese Firm Defends Webcam Security After DDoS Attacks

?How to defend against the internet’s doomsday of DDoS attacks

Last week assault on Dyn’s global managed DNS services was only the start. Here’s how to fend off hackers’ attacks both on your servers and the internet. We knew major destructive attacks on the internet were coming. Last week the first of them hit Dyn, a top-tier a major Domain Name System (DNS) service provider, with a global Distributed Denial of Service (DDoS)attack. As Dyn went down, popular websites such as AirBnB, GitHub, Reddit, Spotify, and Twitter followed it down. Welcome to the end of the internet as we’ve known it. Up until now we’ve assumed that the internet was as reliable as our electrical power. Those days are done. Today, we can expect massive swaths of the internet to be brought down by new DDoS attacks at any time. We still don’t know who was behind these attacks. Some have suggested, since Dyn is an American company and most of the mauled sites were based in the US, that Russia or Iran was behind the attack. It doesn’t take a nation, though, to wreck the internet. All it takes is the hundreds of millions of unsecured shoddy devices of the Internet of Things (IoT). In the Dyn onslaught , Kyle York, Dyn’s chief strategy officer said the DDoS attack used “tens of millions” devices. Hangzhou Xiongmai Technology, a Chinese technology company, has admitted that its webcam and digital video recorder (DVR) products were used in the assault. Xiongmai is telling its customers to update their device firmware and change usernames and passwords. Good luck with that. Quick: Do you know how to update your DVR’s firmware? The attack itself appears to have been made with the Mirai botnet. This open-source botnet scans for devices using their default username and password credentials. Anyone can use it — China, you, the kid next door — to generate DDoS attacks. For truly damaging DDoS barrages, you need to know something about the internet’s architecture, but that’s not difficult. Or, as Jeff Jarmoc, a Salesforce security engineer, tweeted, “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.” That’s funny, but it’s no joke. Fortunately, you can do some things about it. Securing the Internet of Things First, and this unfortunately is a long-term solution, IoT vendors must make it easy to update and secure their devices. Since you can’t expect users to patch their systems — look at how well they do with Windows — patching must be made mandatory and done automatically. One easy way to do this is to use an operating system, such as Ubuntu with Snap, to update devices quickly and cleanly. These “atomic” style updating systems make patches both easier to write and deploy. Another method is to lock down IoT applications and operating systems. Just like any server, the device should have the absolute minimum of network services. Your smart TV may need to use DNS, but your smart baby monitor? Not so much. That’s all fine and dandy and it needs to be done, but it’s not going to help you anytime soon. And, we can expect more attacks at any moment. Defending your intranet and websites First, you should protect your own sites by practicing DDoS prevention 101. For example, make sure your routers drop junk packets. You should also block unnecessary external protocols such as Internet Control Message Protocol (ICMP) at your network’s edge. And, as always, set up good firewalls and server rules. In short, block everything you can at your network edge. Better still, have your upstream ISP block unnecessary and undesired traffic. For example, your ISP can make your life easier simply by upstream blackholing. And if you know your company will never need to receive UDP traffic, like Network Time Protocol (NTP) or DNS, your ISP should just toss garbage traffic into the bit bin. You should also look to DDoS mitigation companies to protect your web presence. Companies such as Akamai, CloudFlare, and Incapsula offer affordable DDoS mitigation plans for businesses of all sizes. As DDoS attacks grow to heretofore unseen sizes, even the DDoS prevention companies are being overwhelmed. Akamai, for example, had to stop trying to protect the Krebs on Security blog after it was smacked by a DDoS blast that reached 620 Gbps in size. That’s fine for protecting your home turf, but what about when your DNS provider get nailed? You can mitigate these attacks by using multiple DNS providers. One way to do this is to use Netflix’s open-source program Denominator to support managed, mirrored DNS records. This currently works across AWS Route53, RackSpace CloudDNS, DynECT, and UltraDNS, but it’s not hard to add your own or other DNS providers. This way, even when a DDoS knocks out a single DNS provider, you can still keep your sites up and running. Which ones will work best for you? You can find out by using Namebench. This is an easy-to-use, open-source DNS benchmark utility. Even with spreading out your risk among DNS providers, DNS attacks are only going to become both stronger and more common. DNS providers like Dyn are very difficult to secure. As Carl Herberger, vice president for security solutions at Radware, an Israeli-based internet security company, told Bloomberg, DNS providers are like hospitals: They must admit anyone who shows up at the emergency room. That makes it all too easy to overwhelm them with massive — in the range of 500 gigabits per second — attacks. In short, there is no easy, fast fix here. One way you can try to keep these attacks from being quite so damaging is to increase the Time to Live (TTL) in your own DNS servers and caches. Typically, today’s local DNS servers have a TTL of 600 seconds, or 5 minutes. If you increased the TTL to say 21,600 seconds, or six hours, your local systems might dodge the DNS attack until it was over. Protecting the internet While the techniques might help you, they don’t do that much to protect the internet at large. DNS is the internet’s single point of total failure. That’s bad enough, but as F5, a top-tier ISP notes, DNS is historically under-provisioned. We must set up a stronger DNS system. ISPs and router and switch vendors should also get off their duffs and finally implement Network Ingress Filtering, better known as Best Current Practice (BCP)-38. BCP-38 works by filtering out bogus internet addresses at the edge of the internet. Thus, when your compromised webcam starts trying to spam the net, BCP-38 blocks these packets at your router or at your ISP’s router or switch. It’s possible, but unfortunately not likely, that your ISP has already implemented BCP-38. You can find out by running Spoofer. This is a new, open-source program that checks to see how your ISP handles spoofed packets. So why wasn’t it implemented years ago? Andrew McConachie, an ICANNtechnical and policy specialist, explained in an article that ISPs are too cheap to pay the small costs required to implement BCP-38. BCP-38 isn’t a cure-all, but it sure would help. Another fundamental fix that could be made is response rate limiting (RRL). This is a new DNS enhancement that can shrink attacks by 60 percent. RRL works by recognizing that when hundreds of packets per second arrive with very similar source addresses asking for similar or identical information, chances are they’re an attack. When RRL spots malicious traffic, it slows down the rate the DNS replies to the bogus requests. Simple and effective. Those are some basic ideas on how to fix the internet. It’s now up to you to use them. Don’t delay. Bigger attacks are on their way and there’s no time to waste. Source: http://www.zdnet.com/article/how-to-defend-against-the-internets-doomsday-of-ddos-attacks/  

View article:
?How to defend against the internet’s doomsday of DDoS attacks

Chinese firm recalls camera products linked to massive DDOS attack

Hangzhou Xiongmai Technology is recalling earlier models of four kinds of cameras due to a security vulnerability A Chinese electronics component maker is recalling 4.3 million internet-connected camera products from the U.S. market amid claims they may have played a role in Friday’s massive internet disruption. On Monday, Hangzhou Xiongmai Technology said it was recalling earlier models of four kinds of cameras due to a security vulnerability that can make them easy to hack. “The main  security  problem is that users aren’t changing the device’s default passwords,” Xiongmai said in a Chinese-language statement posted online. According to  security  firm Flashpoint, malware known as Mirai has been exploiting the products from Xiongmai to launch massive distributed denial-of-service attacks, including Friday’s, which slowed access to many popular sites, including Netflix, PayPal, and Twitter. Companies observing Friday’s disruption said botnets powered by the Mirai malware were at least partly responsible for the attack. Xiongmai, a maker of camera modules and DVR boards, has acknowledged that its products have been a target for hackers, but it said it patched the problem with the default passwords back in April 2015. For older products, the company has come up with a firmware update to fix the flaw. To prevent the security risks, the company has still decided to recall earlier models. However, Xiongmai has also dismissed news reports that its products were largely behind Friday’s DDOS attack as untrue and is threatening legal action against those who damage its reputation. “Security vulnerabilities are a common problem for mankind,” the  company  said. “All industry leaders will experience them.” Experts have said the Mirai malware is probably targeting products from several vendors, in addition to Xiongmai. The malicious coding is built to try a list of more than 60 combinations of user names and passwords when infecting  devices . So far, the Mirai malware has gone on to infect at least 500,000 devices, according to internet backbone provider Level 3 Communications. Source: http://www.pcworld.com/article/3133962/chinese-firm-recalls-camera-products-linked-to-massive-ddos-attack.html

Read More:
Chinese firm recalls camera products linked to massive DDOS attack

Anonymous hacker charged with #opJustina DDoS attacks on hospital

The Anonymous-affiliated hacker who admitted to cyberattacks on two hospitals in the #opJustinaoperation and fled the country while being investigated was indicted last week. Martin Gottesfeld, 32, a biotechnology information technology professional from Somerville, Massachusetts, is being charged with conspiracy to launch cyberattacks against two local hospitals: Boston Children’s Hospital (BCH) and the Wayside Youth and Family Support Network, a mental health facility. Those two hospitals were at the center of a case that attracted masses of media attention: that of Justina Pelletier, the then-15-year-old who was caught in a 16-month custody battle as her parents tried to have her treated for mitochondrial disease at one hospital, while Boston Children’s Hospital treated her in a psychiatric unit as a ward of the state. Gottesfeld’s indictment, handed down on Wednesday, also charges him with intentional damage to a protected computer. Both are felony hacking charges. Gottesfeld admitted to the attacks last month, explaining how he did it and why in an editorial published by the Huffington Post. I had heard many, too many, such horror stories of institutionalized children who were killed or took their own lives in the so-called “troubled teen industry”. I never imagined a renowned hospital would be capable of such brutality and no amount of other good work could justify torturing Justina. The distributed denial of service (DDoS) attack against BCH was planned for maximum financial damage, Gottesfeld said: he knew that the hospital was planning a big fundraising drive and that most donors gave online. In his editorial, he went on to scoff at BCH for making it easy for him to attack it, since the hospital kept its donation page on the same public network as the rest of its systems: Rookie mistake. To take it down, I’d have to knock the whole hospital off the internet. He also claimed that no patients would be harmed: There’s no such thing as an outage-proof network, so hospitals have to be able to function without the internet. It’s required by federal law, and for accreditation. The only effects would be financial and on BCH’s reputation. That’s not how the hospital, or the prosecution, sees it. The indictment states that BCH had to shut down its access to the internet and email servers to protect patient medical records. That meant that physicians outside the hospital couldn’t get at patients’ records. Nor could patients communicate with their doctors. BCH claims that responding to, and mitigating, the damage of the attack cost $300,000, while the disruption in fundraising meant another $300,000 hit, for a total loss of $600,000. Gottesfeld claims that the attack against BCH was a justifiable reaction to the actions of the hospital, which was described as  a “parentectomy”. Gottesfeld’s defence, to blame the hospital for the attack, is all too commonly heard. The blame-the-victim reasoning is often voiced by other cyberattackers, be it from people who guess at weak passwords and use them to waltz into accounts without authorization, or those who launch crippling attacks such as those that Gottesfeld admits to. But just because it’s easy to do doesn’t make those or other cybercrimes OK. They’re illegal, and they can result in jail time, fines or both. Each of the charges Gottesfeld’s facing carry a maximum sentence of five years in jail, along with fines. Gottesfeld has been detained in Rhode Island since he and his wife were plucked off their boat near the coast of Cuba and arrested in Florida. When the indictment was handed down last Wednesday, Gottesfeld was reportedly on day 16 of a hunger strike over the appointment of the office of Carmen Ortiz as his prosecutor. Ortiz was the prosecutor in the cases against both Aaron Swartz and Jonathan James, who both later took their own lives. She has faced sharp criticism over her approach to those cases. In spite of his admission to the DDoS attacks, Gottesfeld is likely to plead not guilty at his arraignment this week before US Magistrate Judge Marianne B. Bowler, his wife told the Washington Times. Source: https://nakedsecurity.sophos.com/2016/10/24/anonymous-hacker-charged-with-opjustina-ddos-attacks-on-hospitals/

Taken from:
Anonymous hacker charged with #opJustina DDoS attacks on hospital

How Hackers Make Money from DDoS Attacks

Attacks like Friday’s are often financially motivated. Yesterday’s attack on the internet domain directory Dyn, which took major sites like Twitter and Paypal offline, was historic in scale. But the motivation for the attack may seem opaque, since no valuable information seems to have been stolen. A group called New World Hackers is claiming credit, but giving conflicting accounts of their motives—and security experts have called them “impostors.” So why else might someone have done it? This class of hack, known as a distributed denial of service (DDoS) attack, has been around for a while. And while many DDoS attacks are indeed motivated by politics, revenge, or petty trolling, there’s frequently money involved. For instance, DDoS attacks are often used as leverage for blackmail. Once a hacking group has a reputation for being able to field a large and dangerous botnet to knock servers offline, they can demand huge ‘protection’ payments from businesses afraid of facing their wrath. In fact, they don’t even have to do the hacking in the first place—in one recent case, someone posing as a notorious cabal merely emailed blackmail messages and managed to pocket tens of thousands of dollars before they were exposed. In the current case, there are rumors that Dyn was a target of extortion attempts before the attack. And the hackers behind what may be the biggest DDoS attack in history could demand a pretty penny to leave other companies alone. A wave of impostors will likely give it a shot, too. There’s another, even darker money-driven application of DDoS attacks—industrial sabotage. Companies seeking to undermine their competition can hire hackers to take the other guys offline. DDoS services are often contracted through so-called “booter” portals where anyone can hire a hacker’s botnet in increments as small as 15 minutes. Researchers found last year that three of the most prominent booter services at the time had over 6,000 subscribers in total, and had launched over 600,000 attacks. (And despite the criminal reputation of Bitcoin, by far the largest method used to pay for DDoS-for-hire was Paypal.) But it’s unlikely that this was some sort of hit called in by a competitor of Dyn—that tactic seems to primarily appeal to already-shady dealers, including online gambling operations. Finally, DDoS attacks can serve as a kind of smokescreen for more directly lucrative crimes. While a security team is struggling to deal with an army of zombie DVRs pummeling their system, attackers can grab passwords, credit card numbers, or identity information. In weighing possible explanations for Friday’s attack, it’s important to note the massive scale of the thing. Even if their claims of responsibility aren’t credible, New World Hackers’ description of about 1.2 terabits of data per second thrown at Dyn’s servers is both vaguely plausible and utterly mind-boggling. That’s around a thousand times as powerful as the huge 620 gigabit per second attack that knocked out a single website, Krebs on Security, last month. Dyn has also described the attack as sophisticated, arriving in three separate waves that targeted different parts of their systems. That kind of operation could have been pulled off by a gang of kids doing it for kicks—and maybe that’s the scarier scenario. But such a massive undertaking suggests bigger, and possibly more lucrative, motivations. Source: http://fortune.com/2016/10/22/ddos-attack-hacker-profit/

See the original post:
How Hackers Make Money from DDoS Attacks

Major US DNS provider hit with DDoS, part of the Internet becomes unreachable

US-based DNS provider Dyn has suffered a massive DDoS attack earlier today, and it resulted in many websites being completely or intermittently inaccessible for a few hours. According to status reports published by the company, the target of the attack was the company’s Managed DNS infrastructure, and impacted Managed DNS customers located on the East Coast of the US. Among the websites that experienced issues as a result of the attack are Reddit, GitHub, Spotify, … More ?

Excerpt from:
Major US DNS provider hit with DDoS, part of the Internet becomes unreachable

Twitter, Amazon, other top websites shut in cyber attack

Major internet services including Twitter, Spotify and Amazon suffered service interruptions and outages on Friday as a US internet provider came under a cyber attack. The internet service company Dyn, which routes and manages internet traffic, said that it had suffered a distributed denial of service (DDoS) attack on its domain name service shortly after 1100 GMT. The service was restored in about two hours, Dyn said. The attack meant that millions of internet users could not access the websites of major online companies such as Netflix and Reddit as well as the crafts marketplace Etsy and the software developer site Github, according to media reports. The website Gizmodo said it had received reports of difficulty at sites for media outlets including CNN, The Guardian, Wired, HBO and People as well as the money transfer service PayPal. Dyn, which is headquartered in New Hampshire, said the attack went after its domain name service, causing interruptions and slowdowns for internet users. “This morning, October 21, Dyn received a global DDoS attack on our Managed DNS infrastructure in the east coast of the United States,” Scott Hilton, executive vice president for products at Dyn, said in a statement. “We have been aggressively mitigating the DDoS attack against our infrastructure.” The company said it was continuing to investigate. A map published by the website downdetector.com showed service interruptions for Level3 Communications, a so-called “backbone” internet service provider, across much of the US east coast and in Texas. Amazon Web Services, which hosts some of the most popular sites on the internet, including Netflix and the homestay network Airbnb, said on its website that users experienced errors including “hostname unknown” when attempting to access hosted sites but that the problem had been resolved by 1310 GMT. Domain name servers are a crucial element of internet infrastructure, converting numbered Internet Protocol addresses into the domain names that allow users to connect to internet sites. Distributed denial of service or DDoS attacks involve flooding websites with traffic, making them difficult to access or taking them offline entirely. Attackers can use them for a range of purposes, including censorship, protest and extortion. The loose-knit hacktivist network Anonymous in 2010 targeted the DNS provider EveryDNS among others in 2010 as retribution for denying service to the anti-secrecy organization WikiLeaks. “The internet continues to rely on protocols and infrastructure designed before cyber security was an issue,” said Ben Johnson, a former engineer at the National Security Agency and founder of the cybersecurity company Carbon Black. He said that growing interconnection of ordinary devices to the internet, the so-called “internet of things,” increased the risks to networks. “DDoS, especially with the rise of insecure IOT devices, will continue to plague our organizations. Sadly, what we are seeing is only the beginning in terms of large scale botnets and disproportionate damage done.” Source: http://phys.org/news/2016-10-twitter-spotify-websites-ddos.html

Read the article:
Twitter, Amazon, other top websites shut in cyber attack