Posts Tagged ‘DDOS’

Google unveils an anti-DDoS platform for human rights organizations and media, but will it work?

Tuesday, October 22nd, 2013

Project Shield uses company’s infrastructure to absorb attacks

On Monday, Google announced a beta service that will offer DDoS protection to human rights organizations and media, in and effort to slow the amount of censorship that such attacks cause.

The announcement of Project Shield, the name given to the anti-DDoS platform, came during a presentation in New York, at the Conflict in a Connected World summit. The gathering included security experts, hacktivists, dissidents, and technologists, in order to explore the nature of conflict and how online tools can both be a source of protection and harm when it comes to expression, and information sharing.

“As long as people have expressed ideas, others have tried to silence them. Today one out of every three people lives in a society that is severely censored. Online barriers can include everything from filters that block content to targeted attacks designed to take down websites. For many people, these obstacles are more than an inconvenience — they represent full-scale repression,” the company explained in a blog post.

Project Shield uses Google’s massive infrastructure to absorb DDoS attacks. Enrollment in the service is invite only at the moment, but it could be expanded considerable in the future. The service is free, but will follow page speed pricing, should Google open enrollment and charge for it down the line.

However, while the service is sure to help smaller websites, such as those ran by dissidents exposing corrupt regimes, or media speaking out against those in power, Google makes no promises.

“No guarantees are made in regards to uptime or protection levels. Google has designed its infrastructure to defend itself from quite large attacks and this initiative is aimed at providing a similar level of protection to third-party websites,” the company explains in a Project Shield outline.

One problem Project Shield may inadvertently create is a change in tactics. If the common forms of DDoS attacks are blocked, then more advanced forms of attack will be used. Such an escalation has already happened for high value targets, such as banks and other financial services websites.

“Using Google’s infrastructure to absorb DDoS attacks is structurally like using a CDN (Content Delivery Network) and has the same pros and cons,” Shuman Ghosemajumder, VP of strategy at Shape Security, told CSO during an interview.

The types of attacks a CDN would solve, he explained, are network-based DoS and DDoS attacks. These are the most common, and the most well-known attack types, as they’ve been around the longest.

In 2000, flood attacks were in the 400Mb/sec range, but today’s attacks scale to regularly exceed 100Gb/sec, according to anti-DDoS vendor Arbor Networks. In 2010, Arbor started to see a trend led by attackers who were advancing DDoS campaigns, by developing new tactics, tools, and targets. What that has led to is a threat that mixes flood, application and infrastructure attacks in a single, blended attack.

“It is unclear how effective [Project Shield] would be against Application Layer DoS attacks, where web servers are flooded with HTTP requests. These represent more leveraged DoS attacks, requiring less infrastructure on the part of the attacker, but are still fairly simplistic. If the DDoS protection provided operates at the application layer, then it could help,” Ghosemajumder said.

“What it would not protect against is Advanced Denial of Service attacks, where the attacker uses knowledge of the application to directly attack the origin server, databases, and other backend systems which cannot be protected against by a CDN and similar means.”

Google hasn’t mentioned directly the number of sites currently being protected by Project Shield, so there is no way to measure the effectiveness of the program from the outside.

In related news, Google also released a second DDoS related tool on Monday, which is possible thanks to data collected by Arbor networks. The Digital Attack Map, as the tool is called, is a monitoring system that allows users to see historical DDoS attack trends, and connect them to related news events on any given day. The data is also shown live, and can be granularly sorted by location, time, and attack type.

Source:  csoonline.com

China’s Internet hit by DDoS attack, sites taken down for hours

Monday, August 26th, 2013

China’s Internet was taken down in an attack on Sunday that could have been perpetrated by sophisticated hackers or a single individual, security experts say.

According to the Wall Street Journal, which earlier reported on the outage, China on Sunday was hit with what the government has called, the biggest distributed denial-of-service attack ever to rock its “.cn” sites. The attack, which lasted up to four hours, according to security company CloudFlare, left many sites with the .cn extension down. According to the Journal, parts of the affected sites were still accessible during the outage, due mainly to site owners storing parts of their pages in cache.

In a statement on the matter, China’s Internet watchdog China Internet Network Information Center confirmed the attack, saying that it was indeed the largest the country has ever faced. The group said that it was gradually restoring services and would work to improve the top-level domain’s security to safeguard against similar attacks.

It’s not currently known who attacked the Chinese domain. However, in a statement on the matter, CloudFlare CEO Matthew Prince said that while it’s possible a sophisticated group of hackers took .cn down, “it may have well been a single individual.”

Source:  CNET

Popular download management program has hidden DDoS component, researchers say

Friday, August 23rd, 2013

Recent versions of Orbit Downloader, a popular Windows program for downloading embedded media content and other types of files from websites, turns computers into bots and uses them to launch distributed denial-of-service (DDoS) attacks, according to security researchers.

Starting with version 4.1.1.14 released in December, the Orbit Downloader program silently downloads and uses a DLL (Dynamic Link Library) component that has DDoS functionality, malware researchers from antivirus vendor ESET said Wednesday in a blog post.

The rogue component is downloaded from a location on the program’s official website, orbitdownloader.com, the ESET researchers said. An encrypted configuration file containing a list of websites and IP (Internet Protocol) addresses to serve as targets for attacks is downloaded from the same site, they said.

Orbit Downloader has been developed since at least 2006 and judging by download statistics from software distribution sites like CNET’s Download.com and Softpedia.com it is, or used to be, a popular program.

Orbit Downloader was downloaded almost 36 million times from Download.com to date and around 12,500 times last week. Its latest version is 4.1.1.18 and was released in May.

In a review of the program, a CNET editor noted that it installs additional “junk programs” and suggested alternatives to users who need a dedicated download management application.

When they discovered the DDoS component, the ESET researchers were actually investigating the “junk programs” installed by Orbit Downloader in order to determine if the program should be flagged as a “potentially unwanted application,” known in the industry as PUA.

“The developer [of Orbit Downloader], Innoshock, generates its revenue from bundled offers, such as OpenCandy, which is used to install third-party software as well as to display advertisements,” the researchers said, noting that such advertising arrangements are normal behavior for free programs these days.

“What is unusual, though, is to see a popular utility containing additional code for performing Denial of Service (DoS) attacks,” they said.

The rogue Orbit Downloader DDoS component is now detected by ESET products as a Trojan program called Win32/DDoS.Orbiter.A. It is capable of launching several types of attacks, the researchers said.

First, it checks if a utility called WinPcap is installed on the computer. This is a legitimate third-party utility that provides low-level network functionality, including sending and capturing network packets. It is not bundled with Orbit Downloader, but can be installed on computers by other applications that need it.

If WinPcap is installed, Orbit’s DDoS component uses the tool to send TCP SYN packets on port 80 (HTTP) to the IP addresses specified in its configuration file. “This kind of attack is known as a SYN flood,” the ESET researchers said.

If WinPcap is not present, the rogue component directly sends HTTP connection requests on port 80 to the targeted machines, as well as UDP packets on port 53 (DNS).

The attacks also use IP spoofing techniques, the source IP addresses for the requests falling into IP address ranges that are hardcoded in the DLL file.

“On a test computer in our lab with a gigabit Ethernet port, HTTP connection requests were sent at a rate of about 140,000 packets per second, with falsified source addresses largely appearing to come from IP ranges allocated to Vietnam,” the ESET researchers said.

After adding a detection signature for the DLL component, the ESET researchers also identified an older file called orbitnet.exe that had almost the same functionality as the DLL file, but downloaded its configuration from a different website, not orbitdownloader.com.

This suggests that Orbit Downloader might have had DDoS functionality since before version 4.1.1.14. The orbitnet.exe file is not bundled with any older Orbit Downloader installers, but it might have been downloaded post-installation, like the DLL component.

This is a possibility, but it can’t be demonstrated with certainty, Peter Kosinar, a technical fellow at ESET who was involved in the investigation, said Thursday. It might also be distributed though other means, he said.

Adding to the confusion is that an older version of orbitnet.exe than the one found by ESET is distributed with Orbit Downloader 4.1.1.18. The reason for this is unclear since Orbit Downloader 4.1.1.18 also downloads and uses the DLL DDoS component. However, it indicates a clear relationship between orbitnet.exe and Orbit Downloader.

The fact that a popular program like Orbit Downloader is used as a DDoS tool creates problems not only for the websites that it’s used to attack, but also for the users whose computers are being abused.

According to Kosinar, there is no rate limit implemented for the packets sent by the DDoS component. This means that launching these attacks can easily consume the user’s Internet connection bandwidth, affecting his ability to access the Internet through other programs.

Users who install Orbit Downloader expect the program to streamline their downloads and increase their speed, but it turns out that the application has the opposite effect.

Orbit Downloader is developed by a group called Innoshock, but it’s not clear if this is a company or just a team of developers. Attempts to contact Innoshock for comment Thursday via two Gmail addresses listed on its website and the Orbit Downloader site, as well as via Twitter, remained unanswered.

The program’s users also seem to have noticed its DDoS behavior judging by comments left on Download.com and the Orbit Downloader support forum.

Orbit Downloder version 4.1.1.18 is generating a very high amount of DDoS traffic, a user named raj_21er said on the support forum on June 12. “The DDoS flooding is so huge that it just hangs the gateway devices/network switches completely and breaks down the entire network operation.”

“I was using Orbit Downloader for the past one week on my desktop when I suddenly noticed that the internet access was pretty much dead in the last 2 days,” another user named Orbit_User_5500 said. Turning off the desktop system restored Internet access to the other network computers and devices, he said.

Since adding detection of this DDoS component, ESET received tens of thousands of detection reports per week from deployments of its antivirus products, Kosinar said.

Source:  csoonline.com

Shorter, higher-speed DDoS attacks on the rise, Arbor Networks says

Tuesday, July 30th, 2013

Almost half of the distributed denial-of-service attacks monitored in a threat system set up by Arbor Networks now reach speeds of over 1Gbps. That’s up 13.5% from last year, while the portion of DDoS attacks over 10Gbps increased about 41% in the same period, Arbor says.

In addition, the Arbor Networks monitoring system, which is based on anonymous traffic data from more than 270 service providers, saw in the second quarter of this year the more than doubling of the total number of attacks over 20Gbps that occurred in all of 2012. The only number that went down was the duration of all of these DDoS attacks, which now trend shorter, with 86% lasting less than one hour, according to the Arbor Networks trends report for the second quarter of 2013.

Jeff Wilson, principal network security analyst with Infonetics Research, says attackers have their own motivations for launching DDoS attacks, such as political ones or organized crime-related ones, but it’s the ready availability of botnets for hire and crowd-sourced attack tools that give them the easy means.

Separately, FireHost, a Dallas company focused on building in security defense as part of its web-hosting service, issued its own findings related to cyberattacks detected over the second quarter.

FireHost says its customers were targets for about 24 million different types of attacks. About 3.6 million of these blocked cyberattacks were aimed at compromising websites through what’s known as SQL Injection, Cross-Site Request Forgery (CSRF), Directory Traversal and Cross-Site Scripting (XSS). This represents an increase in web-compromising attacks of this type from the 3.4 million seen in the first quarter, FireHost says.

In the second quarter, the number of CSRF attacks rose 16% over the previous quarter, and SQL Injection attacks rose 28%. However, the XSS attacks, which involve the insertion of malicious code into webpages to manipulate visitors, remained the most prevalent attack type. FireHost says sometimes attacks are “blended” with other exploits and automated.

FireHost claims it’s not unusual to see these blended attacks originating from within cloud-service provider networks.

“Cybercriminals can easily deploy and administer powerful botnets that run on cloud infrastructure,” says FireHost founder and CEO, Chris Drake. “Many cloud providers unfortunately don’t adequately validate new customer sign-ups, so opening accounts with fake information is quite easy.” After the account is set up, the attacker can run an automated process that can be leveraged to “deploy a lot of computing power on fast networks, giving a person the ability to create a lot of havoc with minimal effort,” Drake concludes.

Source:  networkworld.com

Report: Markets at risk due to cyberattacks against exchanges

Thursday, July 18th, 2013

Survey finds more than half of the world’s financial exchanges fell victim to some kind of cyberattack in the last year

A new report from the Research Department of the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges (WFE) Office says that cybercrime within the securities markets can be considered a potentially systemic risk.

 

A joint study, published by the IOSCO and the WFE, examines how cybercrime is evolving, and what kind of threat it poses to the world’s markets. In a survey of 46 financial exchanges, 53 percent of them reported experiencing some kind of cyberattack in the last year. As such, the study’s authors say that cybercrime within the securities markets can be considered a potentially systemic risk, a notion that a majority of the exchanges surveyed agreed with.

Based on the responses sent by the exchanges, most of the attacks that have been experienced are disruptive in nature, such at DDoS attacks that seek to prevent access to websites and networks. Other wise they are malware related. It should be noted that financial theft didn’t show up in any of the responses. These responses, the report notes, suggest a shift from financial gain, and towards more disruptive aims.

In addition, the report also says there is “a high level of awareness of the threat across exchanges surveyed.” Accordingly, 93 percent of the exchanges responded that cyber threats are discussed and understood by senior management, and the same amount also confirmed that there are disaster recovery plans in place to deal with the aftermath of an attack. All of them reported that they’d be able to identify a cyberattack within 48-hours.

Overall, the report shows that exchanges are highly aware of the risks they face, the full extent of the threat remains unknown.

“One way to overcome this uncertainty and still engage with cybercrime is to envision and list potential factors and scenarios where cybercrime could have the most devastating impacts and then mould responses to best engage with those factors, effectively minimizing opportunities for cyber attacks to manifest systemic consequences,” the report concludes.

One thing that a majority of the respondents confirmed was the fear that the potential impact of a major cyberattack could affect confidence and reputation, followed by integrity and efficiency, and financial stability. Thus, a broader and more robust system-wide response to the issue is needed.

Source:  csoonline.com

Network Solutions restores service after DDoS attack

Thursday, July 18th, 2013

Network Solutions said Wednesday it has restored services after a distributed denial-of-service (DDoS) attack knocked some websites it hosts offline for a few hours.

The company, which is owned by Web.com, registers domain names, offers hosting services, sells SSL certificates and provides other website-related administration services.

Network Solutions wrote on Facebook around mid-day Wednesday EDT that it was under attack. About three hours later, it said most customer websites should resolve normally.

Some customers commented on Facebook, however, that they were still experiencing downtime. Many suggested a problem with Network Solutions’ DNS (Domain Name System) servers, which are used to look up domain names and translate the names into an IP addresses that can be requested by a browser.

DDoS attacks are a favored method to disrupt websites and involve sending large amounts of data in hopes of overwhelming servers and causing websites to not respond to requests.

Focusing DDoS attacks on DNS servers has proven to be a very effective attack method. In early June, three domain name management and hosting providers — DNSimple, easyDNS and TPP Wholesale — reported DNS-related outages caused by DDoS attacks.

Hosting service DNSimple said it came under a DNS reflection attack, where DNS queries are sent to one party but the response is directed to another network, exhausting the victim network’s bandwidth.

Source:  cso.com

Largest ever DDoS attack directed at financial firm, Prolexic reports

Tuesday, June 4th, 2013

DDoS attackers attempted to bring down an unnamed financial services firm earlier this week using one of the largest traffic bombardments ever recorded, mitigation firm Prolexic has reported.

The 167 Gbps peak attack hit what is being described only as a “realtime financial exchange” on 27 May using the same DNS reflection method used to strike anti-spam organisation Spamhaus in late March, the company said.

Although smaller than the Spamhaus assault, it still registered as the largest ever defended by Prolexic in its 10-year history, which must on its own make it one of the largest ever recorded.

Despite its size, Prolexic had been able to distribute the traffic across four sites in Hong Kong, San Jose, Ashburn in Virgina, and London, with the latter bearing the greatest burden at a peak of 90Gbps.

“This was a massive attack that made up in brute force what it lacked in sophistication,” commented Prolexic’s CEO, Scott Hammack.

“Because of the proactive DDoS defense strategies Prolexic had put in place with this client, no malicious traffic reached its website and downtime was avoided. In fact, the company wasn’t aware it was under attack.”

The fact that the attacked business was a customer of Prolexic is one important difference between the incident and what happened to Spamhaus.

When Spamhaus was assaulted by a vast 300Gbps peak DNS reflection attack, it engaged the help of a content delivery network (CDN) called CloudFlare to help defend itself. The attackers then turned their fire on the Tier-1 providers used by CloudFlare in an attempt to cause maximum harm.

The attackers picking on the financial services firm would have known that Prolexic’s mitigation stood between themselves and the target from the start, raising the possibility that they were testing the ability of this sort of attack to overload dedicated defenses.

“It’s only a matter of time, possibly by the end of this quarter, before the 200Gbps marker is crossed,” predicted Hammack.

The firm was investing in the infrastructure necessary to cope with up to 1.2Tbps peak traffic loads by the end of 2013, he added.

DNS reflection (or amplification) attacks have become a new front in DDoS tactics in recent times despite being widely discussed for years. One possibility is that they are partly a reaction to the growth of DDoS mitigation firms and the desire of attackers to boost the size of their activity using open responders.

As EU security agency ENISA pointed out after the Spamhaus incident, the vulnerabilites exploited by the attackers were addressed by IETF best practice recomendations as far back as the year 2000.

Source:  networkworld.com

Spamhaus hacking suspect ‘had mobile attack van’

Monday, April 29th, 2013

A Dutchman accused of mounting one of the biggest attacks on the internet used a “mobile computing office” in the back of a van.

The 35-year-old, identified by police as “SK”, was arrested last week.

He has been blamed for being behind “unprecedentedly serious attacks” on non-profit anti-spam watchdog Spamhaus.

Dutch, German, British and US police forces took part in the investigation leading to the arrest, Spanish authorities said.

The Spanish interior minister said SK was able to carry out network attacks from the back of a van that had been “equipped with various antennas to scan frequencies”.

He was apprehended in the city of Granollers, 20 miles (35km) north of Barcelona. It is expected that he will be extradited from Spain to be tried in the Netherlands.

‘Robust web hosting’

Police said that upon his arrest SK told them he belonged to the “Telecommunications and Foreign Affairs Ministry of the Republic of Cyberbunker”.

Cyberbunker is a company that says it offers highly secure and robust web hosting for any material except child pornography or terrorism-related activity.

Spamhaus is an organisation based in London and Geneva that aims to help email providers filter out spam and other unwanted content.

To do this, the group maintains a number of blocklists, a database of servers known to be being used for malicious purposes.

Police alleged that SK co-ordinated an attack on Spamhaus in protest over its decision to add servers maintained by Cyberbunker to a spam blacklist.

Overwhelm server

Spanish police were alerted in March to large distributed-denial-of-service (DDoS) attacks originating in Spain but affecting servers in the UK, Netherlands and US.

DDoS attacks attempt to overwhelm a web server by sending it many more requests for data than it can handle.

A typical DDoS attack employs about 50 gigabits of data per second (Gbps). At its peak the attack on Spamhaus hit 300Gbps.

In a statement in March, Cyberbunker “spokesman” Sven Kamphuis took exception to Spamhaus’s action, saying in messages sent to the press that it had no right to decide “what goes and does not go on the internet”.

Source:  BBC

Hackers increasingly target shared Web hosting servers for use in mass phishing attacks

Friday, April 26th, 2013

Nearly half of phishing attacks seen during the second half of 2012 involved the use of hacked shared hosting servers, APWG report says

Cybercriminals increasingly hack into shared Web hosting servers in order to use the domains hosted on them in large phishing campaigns, according to a report from the Anti-Phishing Working Group (APWG).

Forty-seven percent of all phishing attacks recorded worldwide during the second half of 2012 involved such mass break-ins, APWG said in the latest edition of its Global Phishing Survey report published Thursday.

In this type of attack, once phishers break into a shared Web hosting server, they update its configuration so that phishing pages are displayed from a particular subdirectory of every website hosted on the server, APWG said. A single shared hosting server can host dozens, hundreds or even thousands of websites at a time, the organization said.

APWG is a coalition of over 2000 organizations that include security vendors, financial institutions, retailers, ISPs, telecommunication companies, defense contractors, law enforcement agencies, trade groups, government agencies and more.

Hacking into shared Web hosting servers and hijacking their domains for phishing purposes is not a new technique, but this type of malicious activity reached a peak in August 2012, when APWG detected over 14,000 phishing attacks sitting on 61 servers. “Levels did decline in late 2012, but still remained troublingly high,” APWG said.

During the second half of 2012, there were at least 123,486 unique phishing attacks worldwide that involved 89,748 unique domain names, APWG said. This was a significant increase from the 93,462 phishing attacks and 64,204 associated domains observed by the organization during the first half of 2012.

“Of the 89,748 phishing domains, we identified 5,835 domain names that we believe were registered maliciously, by phishers,” APWG said. “The other 83,913 domains were almost all hacked or compromised on vulnerable Web hosting.”

In order to break into such servers, attackers exploit vulnerabilities in Web server administration panels like cPanel or Plesk and popular Web applications like WordPress or Joomla. “These attacks highlight the vulnerability of hosting providers and software, exploit weak password management, and provide plenty of reason to worry,” the organization said.

Cybercriminals break into shared hosting environments in order to use their resources in various types of attacks, not just phishing, APWG said. For example, since late 2012 a group of hackers has been compromising Web servers in order to launch DDoS (distributed denial-of-service) attacks against U.S. financial institutions.

In one mass attack campaign dubbed Darkleech, attackers compromised thousands of Apache Web servers and installed SSH backdoors on them. It’s not clear how the Darkleech attackers break into these servers in the first place, but vulnerabilities in Plesk, cPanel, Webmin or WordPress have been suggested as possible entry points.

Source:  networkworld.com

Iran blamed for cyberattacks on U.S. banks and companies

Monday, September 24th, 2012
Iran recently has mounted a series of disruptive computer attacks against major U.S. banks and other companies in apparent retaliation for Western economic sanctions aimed at halting its nuclear program, according to U.S. intelligence and other officials.

In particular, assaults this week on the Web sites of JPMorgan Chase and Bank of America probably were carried out by Iran, Sen. Joseph I. Lieberman (I-Conn.), chairman of the Homeland Security and Governmental Affairs Committee, said Friday.

“I don’t believe these were just hackers who were skilled enough to cause disruption of the Web sites,” said Lieberman in an interview taped for C-SPAN’s “Newsmakers” program. “I think this was done by Iran and the Quds Force, which has its own developing cyberattack capability.” The Quds Force is a special unit of Iran’s Revolutionary Guard Corps, a branch of the military.

Lieberman said he believed the efforts were in response to “the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions.”

U.S. officials suspect Iran was behind similar cyberattacks on U.S. and other Western businesses here and in the Middle East, some dating as far back as December. A conservative Web site, the Washington Free Beacon, reported that the intelligence arm of the Joint Chiefs of Staff said in an analysis Sept. 14 that the cyberattacks on financial institutions are part of a larger covert war being carried out by Tehran.

Unlike the cyberattacks attributed to the United States and Israel that disabled Iranian nuclear enrichment equipment, experts said, the Iranian attacks were intended to disrupt commercial Web sites. Online operations at Bank of America and Chase both experienced delays this week.

In a previously undisclosed episode, Iranian cyberforces attempted to disrupt the Web sites of oil companies in the Middle East in August by routing their efforts through major U.S. telecommunications companies, including AT&T and Level 3, according to U.S. intelligence and industry officials. They spoke on the condition that their names not be used because they were not authorized to speak to the press.

The effort did not cause serious disruptions, but it was the largest attempted denial-of-service attack against AT&T “by an order of magnitude,” said an industry official. A distributed denial-of-service, or DDOS, attack is designed to overload a Web site and block access to the server or site.

The U.S. intelligence community is increasingly concerned about Iran’s improving capability to mount attacks. Director of National Intelligence James R. Clapper Jr. told Congress in February that “Iran’s intelligence operations against the United States, including cyber capabilities, have dramatically increased in recent years in depth and complexity.”

“The Iranians aren’t very good yet,” said one U.S. intelligence official, who spoke on the condition of anonymity because of the topic’s sensitivity. “But they’re getting better rapidly, and they’re motivated to get better rapidly because they believe they’ve been attacked, and they have.”

Source:  washingtonpost.com