Posts Tagged ‘DOS’

Huge hack ‘ugly sign of future’ for internet threats

Tuesday, February 11th, 2014

A massive attack that exploited a key vulnerability in the infrastructure of the internet is the “start of ugly things to come”, it has been warned.

Online security specialists Cloudflare said it recorded the “biggest” attack of its kind on Monday.

Hackers used weaknesses in the Network Time Protocol (NTP), a system used to synchronise computer clocks, to flood servers with huge amounts of data.

The technique could potentially be used to force popular services offline.

Several experts had predicted that the NTP would be used for malicious purposes.

The target of this latest onslaught is unknown, but it was directed at servers in Europe, Cloudflare said.

Attackers used a well-known method to bring down a system known as Denial of Service (DoS) – in which huge amounts of data are forced on a target, causing it to fall over.

Cloudflare chief executive Matthew Prince said his firm had measured the “very big” attack at about 400 gigabits per second (Gbps), 100Gbps larger than an attack on anti-spam service Spamhaus last year.

Predicted attack

In a report published three months ago, Cloudflare warned that attacks on the NTP were on the horizon and gave details of how web hosts could best try to protect their customers.

NTP servers, of which there are thousands around the world, are designed to keep computers synchronised to the same time.

The fundamentals of the NTP began operating in 1985. While there have been changes to the system since then, it still operates in much the same way.

A computer needing to synchronise time with the NTP will send a small amount of data to make the request. The NTP will then reply by sending data back.

The vulnerability lies with two weaknesses. Firstly, the amount of data the NTP sends back is bigger than the amount it receives, meaning an attack is instantly amplified.

Secondly, the original computer’s location can be “spoofed”, tricking the NTP into sending the information back to somewhere else.

In this attack, it is likely that many machines were used to make requests to the NTP. Hackers spoofed their location so that the massive amounts of data from the NTP were diverted to a single target.

“Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the internet,” Cloudfare explained in a blog outlining the vulnerability, posted last month.

‘Ugly future’

The NTP is one of several protocols used within the infrastructure of the internet to keep things running smoothly.

Unfortunately, despite being vital components, most of these protocols were designed and implemented at a time when the prospect of malicious activity was not considered.

“A lot of these protocols are essential, but they’re not secure,” explained Prof Alan Woodward, an independent cyber-security consultant, who had also raised concerns over NTP last year.

“All you can really do is try and mitigate the denial of service attacks. There are technologies around to do it.”

Most effective, Prof Woodward suggested, was technology that was able to spot when a large amount of data was heading for one destination – and shutting off the connection.

Cloudflare’s Mr Prince said that while his firm had been able to mitigate the attack, it was a worrying sign for the future.

“Someone’s got a big, new cannon,” he tweeted. “Start of ugly things to come.”

Source:  BBC

DoS attacks that took down big game sites abused Web’s time-sync protocol

Friday, January 10th, 2014

Miscreants who earlier this week took down servers for League of Legends, EA.com, and other online game services used a never-before-seen technique that vastly amplified the amount of junk traffic directed at denial-of-service targets.

Rather than directly flooding the targeted services with torrents of data, an attack group calling itself DERP Trolling sent much smaller sized data requests to time-synchronization servers running the Network Time Protocol (NTP). By manipulating the requests to make them appear as if they originated from one of the gaming sites, the attackers were able to vastly amplify the firepower at their disposal. A spoofed request containing eight bytes will typically result in a 468-byte response to a victim, a more than 58-fold increase.

“Prior to December, an NTP attack was almost unheard of because if there was one it wasn’t worth talking about,” Shawn Marck, CEO of DoS-mitigation service Black Lotus, told Ars. “It was so tiny it never showed up in the major reports. What we’re witnessing is a shift in methodology.”

The technique is in many ways similar to the DNS-amplification attacks waged on servers for years. That older DoS technique sends falsified requests to open domain name system servers requesting the IP address for a particular site. DNS-reflection attacks help aggravate the crippling effects of a DoS campaign since the responses sent to the targeted site are about 50 times bigger than the request sent by the attacker.

During the first week of the year, NTP reflection accounted for about 69 percent of all DoS attack traffic by bit volume, Marck said. The average size of each NTP attack was about 7.3 gigabits per second, a more than three-fold increase over the average DoS attack observed in December. Correlating claims DERP Trolling made on Twitter with attacks Black Lotus researchers were able to observe, they estimated the attack gang had a maximum capacity of about 28Gbps.

NTP servers help people synchronize their servers to very precise time increments. Recently, the protocol was found to suffer from a condition that could be exploited by DoS attackers. Fortunately, NTP-amplification attacks are relatively easy to repel. Since virtually all the NTP traffic can be blocked with few if any negative consequences, engineers can simply filter out the packets. Other types of DoS attacks are harder to mitigate, since engineers must first work to distinguish legitimate data from traffic designed to bring down the site.

Black Lotus recommends network operators follow several practices to blunt the effects of NTP attacks. They include using traffic policers to limit the amount of NTP traffic that can enter a network, implementing large-scale DDoS mitigation systems, or opting for service-based approaches that provide several gigabits of standby capacity for use during DDoS attacks.

Source:  arstechnica.com

Google unveils an anti-DDoS platform for human rights organizations and media, but will it work?

Tuesday, October 22nd, 2013

Project Shield uses company’s infrastructure to absorb attacks

On Monday, Google announced a beta service that will offer DDoS protection to human rights organizations and media, in and effort to slow the amount of censorship that such attacks cause.

The announcement of Project Shield, the name given to the anti-DDoS platform, came during a presentation in New York, at the Conflict in a Connected World summit. The gathering included security experts, hacktivists, dissidents, and technologists, in order to explore the nature of conflict and how online tools can both be a source of protection and harm when it comes to expression, and information sharing.

“As long as people have expressed ideas, others have tried to silence them. Today one out of every three people lives in a society that is severely censored. Online barriers can include everything from filters that block content to targeted attacks designed to take down websites. For many people, these obstacles are more than an inconvenience — they represent full-scale repression,” the company explained in a blog post.

Project Shield uses Google’s massive infrastructure to absorb DDoS attacks. Enrollment in the service is invite only at the moment, but it could be expanded considerable in the future. The service is free, but will follow page speed pricing, should Google open enrollment and charge for it down the line.

However, while the service is sure to help smaller websites, such as those ran by dissidents exposing corrupt regimes, or media speaking out against those in power, Google makes no promises.

“No guarantees are made in regards to uptime or protection levels. Google has designed its infrastructure to defend itself from quite large attacks and this initiative is aimed at providing a similar level of protection to third-party websites,” the company explains in a Project Shield outline.

One problem Project Shield may inadvertently create is a change in tactics. If the common forms of DDoS attacks are blocked, then more advanced forms of attack will be used. Such an escalation has already happened for high value targets, such as banks and other financial services websites.

“Using Google’s infrastructure to absorb DDoS attacks is structurally like using a CDN (Content Delivery Network) and has the same pros and cons,” Shuman Ghosemajumder, VP of strategy at Shape Security, told CSO during an interview.

The types of attacks a CDN would solve, he explained, are network-based DoS and DDoS attacks. These are the most common, and the most well-known attack types, as they’ve been around the longest.

In 2000, flood attacks were in the 400Mb/sec range, but today’s attacks scale to regularly exceed 100Gb/sec, according to anti-DDoS vendor Arbor Networks. In 2010, Arbor started to see a trend led by attackers who were advancing DDoS campaigns, by developing new tactics, tools, and targets. What that has led to is a threat that mixes flood, application and infrastructure attacks in a single, blended attack.

“It is unclear how effective [Project Shield] would be against Application Layer DoS attacks, where web servers are flooded with HTTP requests. These represent more leveraged DoS attacks, requiring less infrastructure on the part of the attacker, but are still fairly simplistic. If the DDoS protection provided operates at the application layer, then it could help,” Ghosemajumder said.

“What it would not protect against is Advanced Denial of Service attacks, where the attacker uses knowledge of the application to directly attack the origin server, databases, and other backend systems which cannot be protected against by a CDN and similar means.”

Google hasn’t mentioned directly the number of sites currently being protected by Project Shield, so there is no way to measure the effectiveness of the program from the outside.

In related news, Google also released a second DDoS related tool on Monday, which is possible thanks to data collected by Arbor networks. The Digital Attack Map, as the tool is called, is a monitoring system that allows users to see historical DDoS attack trends, and connect them to related news events on any given day. The data is also shown live, and can be granularly sorted by location, time, and attack type.

Source:  csoonline.com

PHP 5.3.10 fixes critical remote code execution vulnerability

Monday, February 6th, 2012

The vulnerability was introduced by the fix for a hash collision denial-of-service flaw

The PHP Group released PHP 5.3.10 on Thursday in order to address a critical security flaw that can be exploited to execute arbitrary code on servers running an older version of the Web development platform.

The vulnerability is identified as CVE-2012-0830 and was discovered by Stefan Esser, an independent security consultant and creator of the popular Suhosin security extension for PHP.

SecurityFocus classifies the issue as a design error because it was accidentally introduced while fixing a separate denial-of-service (DoS) vulnerability in early January.

That vulnerability is known as CVE-2011-4885 and was disclosed in December 2011 at the Chaos Communication Congress by security researchers Alexander Klink and Julian Wälde.

It affects a number of Web development platforms including PHP, ASP.NET, Java and Python and can be exploited in a so-called hash collision attack. The PHP development team addressed CVE-2011-4885 in PHP 5.3.9, which was released on Jan. 10.

“The fix for the Hash Collision DoS introduced a new directive (max_input_vars) to limit the number of accepted input variables,” said Carsten Eiram, chief security specialist at vulnerability research firm Secunia.

“However, due to a logic error in the “php_register_variable_ex()” function in php_variables.c certain cases are not handled correctly when the number of supplied variables is greater than the imposed limit,” he explained.

This error can be exploited by attackers to remotely execute arbitrary code on a system that runs a vulnerable PHP installation. PHP 5.3.9 along with any older versions for which the hash collision DoS patch was backported, are affected, Eiram said.

Proof-of-concept code that exploits this vulnerability has already been published online, so the likelihood of attacks targeting CVE-2012-0830 are high. Web servers administrators are advised to upgrade to PHP 5.3.10 immediately.

Source:  infoworld.com

Attack code published for serious ASP.Net DoS vulnerability

Tuesday, January 10th, 2012

The code exploits a recently patched denial-of-service vulnerability

Exploit code for a recently patched DoS (denial-of-service) vulnerability that affects Microsoft’s ASP.Net Web development platform has been published online, therefore increasing the risk of potential attacks.

The vulnerability, identified as CVE-2011-3414, was disclosed in December at the Chaos Communication Congress, Europe’s largest and oldest hacker conference. Shortly afterward Microsoft published a security advisory and released an out-of-band patch for the flaw.

The type of attack facilitated by this vulnerability affects other Web application platforms as well, and each of them has its own mitigation instructions. “This vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a Web server, or even on a cluster of Web servers,” explained Suha Can and Jonathan Ness, two Microsoft Security Response Center engineers, in a blog post back in December.

“For ASP.Net in particular, a single specially crafted ~100kb HTTP request can consume 100 percent of one CPU core for between 90 and 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers,” they said.

On Friday, a user who calls himself HybrisDisaster, published a proof-of-concept exploit for the ASP.Net vulnerability on GitHub, a platform that hosts open source development projects.

In the notes accompanying the exploit code, HybrisDisaster encourages people to download it, use it how they see fit, and spread it. He also signs off with “We are Legion. Expect us,” a slogan commonly associated with the Anonymous hacktivist collective.

HybrisDisaster did not immediately return a request for comment about his affiliation with Anonymous. However, over the years, the well-known hacktivist group regularly used DoS attacks to support of its operations, it’s members considering the activity a legitimate form of online protesting.

The high likelihood of someone releasing attack code for this vulnerability played an important part in Microsoft’s decision to release an out-of-band patch. “We anticipate the imminent public release of exploit code,” Can and Ness said shortly after the vulnerability was disclosed.

Webmasters who maintain ASP.Net Web applications should immediately deploy the patches in Microsoft’s MS11-100 security bulletin, which also address other ASP.Net vulnerabilities as well.

Source:  infoworld.com

Alphabetical command line list (Microsoft)

Tuesday, July 13th, 2010

The following list of Microsoft commands may come in handy for the post DOS generation (definitions sold separately…):

Arp
Assoc
At
Atmadm
Attrib
Batch files
Bootcfg
Break
Cacls
Call
Change
Chcp
Chdir
Chkdsk
Chkntfs
Cipher
Cls
Cmd
Cmstp
Color
Command shell overview
Comp
Compact
Convert
Copy
Cprofile
CScript overview
Date
Defrag
Del
Dir
Diskcomp
Diskcopy
DiskPart
Doskey
Driverquery
Echo
Endlocal
Eventcreate
Eventquery
Eventtriggers
Evntcmd
Exit
Expand
Fc
Filter commands
Find
Findstr
Finger
Flattemp
For
Format
Fsutil
Ftp
Ftp subcommands
Ftype
Getmac
Goto
Gpresult
Gpupdate
Graftabl
Help
Helpctr
Hostname
If
Ipconfig
Ipseccmd
Ipxroute
Irftp
Label
Lodctr
Logman
Lpq
Lpr
Macfile
Mkdir (md)
Mmc
Mode
More
Mountvol
Move
MS-DOS subsystem configuration commands
Msiexec
Msinfo32
Nbtstat
Net services overview
Net services commands
Netsh command overview
Netsh commands for AAAA
Netsh commands for DHCP
Netsh diagnostic (diag) commands
Netsh commands for Interface IP
Netsh commands for RAS
Netsh commands for Routing
Netsh commands for WINS
Netstat
Nslookup
Nslookup subcommands
Ntbackup
Ntcmdprompt
Ntsd
Openfiles
Pagefileconfig
Path
Pathping
Pause
Pbadmin
Pentnt
Perfmon
Ping
Popd
Print
Prncnfg
Prndrvr
Prnjobs
Prnmngr
Prnport
Prnqctl
Prompt
Pushd
Query
Rasdial
Rcp
Recover
Redirection operators
Reg
Regsvr32
Relog
Rem
Rename
Replace
Reset session
Rexec
Rmdir
Route
Rsh
Rsm
Runas
Sc
Schtasks
Secedit
Set
Setlocal
Shift
Shutdown
Sort
Start
Subst
Systeminfo
System File Checker (sfc)
Taskkill
Tasklist
Tcmsetup
TCP/IP utilities and services
Telnet commands
Terminal Services commands
Tftp
Time
Title
Tracerpt
Tracert
Tree
Type
Typeperf
Unlodctr
Ver
Verify
Vol
Vssadmin
W32tm
Winnt
Winnt32
WMIC overview
Xcopy