Thought you knew about DDoS? Think again

Twitch.tv is just the latest distributed denial-of-service (DDoS) victim in a seemingly never-ending stream of attacks. Shortly after Amazon announced that it had acquired the streaming gaming service, Twitch.tv experienced a coordinated DDoS attack that completely shut it down. For those who make their livelihood through the service, this attack was more than a nuisance. Failing to understand how DDoS attacks work and how dangerous they can be leaves your network open to risk. Below is a compilation of myths that you need to overcome if you hope to protect your assets.

Myth 1: Hackers launch DDoS attacks to consume network bandwidth.

In the news, the seriousness of a DDoS attack is typically measured by the size or amount of attack traffic (e.g. number of Gigabits per second). By using only this measure, the media leads many people to mistakenly believe that all DDoS attacks are targeting bandwidth resources. In fact, DDoS attacks can also be designed to consume system and application resources as well. Thus, the size of the attack traffic is only one of several aspects that determine the severity of an attack.

That’s because the same amount of attack traffic can produce a greater or lesser impact depending on the method employed. Sometimes, people mistakenly assume that SYN flood attacks are a type of DDoS attack that targets network bandwidth resources. In fact, the primary threat posed by SYN flood attacks is their consumption of connection table resources. Even with exactly the same level of attack traffic, a SYN flood attack is more dangerous than a UDP flood attack.

Myth 2: DDoS attacks are always flood attacks.

A DDoS attack connotes the idea of speed. Many people think of UDP flood attacks, SYN flood-type attacks, RST flood-type attacks and the like when they hear the phrase “DDoS attack.” In fact, although flood-type attacks account for a large proportion of DDoS attacks, not all of them are. There are also low-and-slow attack methods. Essentially, a DDoS attack consumes a large number of resources or occupies them for a long period of time in order to deny services to other users. Flood-type attacks rapidly send a large amount of data and requests to the target, but low-and-slow attacks are different. They slowly but persistently send requests to the target and thus occupy resources for a long time, eating away at the target’s resources bit by bit. If we view a DDoS attack as an assassination, a flood-type attack is like an assassin who uses a machine gun. A low-and-slow attack is akin to death by a thousand cuts.

Myth 3: Botnets of hijacked PCs are the source of all DDoS attacks.

Internet security professionals adhere to the tenet that all DDoS attacks are launched from botnets. However, not all attacks are carried out by botnets composed of personal computers that have been hijacked by hackers. As technology has advanced, the processing performance and bandwidth of high-performance servers used by service providers have rapidly increased. Correspondingly, the development and use of traditional botnets composed of PCs have slowed. Besides the processing capability factor, PCs normally have very limited bandwidth resources, and their in-use periods fluctuate. Therefore, some hackers have begun to look to high-performance servers; these were used during Operation Ababil’s attacks on U.S. banks. In addition, attacks are not always carried out by commandeering sources; the hacktivist group Anonymousprefers to launch attacks using large numbers of real participants. We call this a “voluntary botnet.”

Myth 4: Vandalism and mischief are the only goals of DDoS attacks.

People don’t understand the motives of hackers; why use all that brainpower for no purpose? DDoS attacks take some technical skill and directly result in the destruction of network service availability. This doesn’t seem to benefit hackers, but hiding behind this simplistic stereotype are hackers who know the value of a bitcoin. The current generation of hackers are much more sensitive to benefit calculations than average people. They use destructive power in exchange for profit, they use destructive deterrents to avoid losses to themselves and they use destruction as leverage to shift the playing field to their advantage. Destruction is only one part of DDoS attack motivation; the true goal is almost always profit of some sort.

Myth 5: DDoS attacks are not a concern for small websites and businesses.

If you operate a website, even if you derive little income from it or engage in non-profit activities, you are still not exempt. Any site can be considered fair game for profit. When cybercriminals are choosing extortion targets, they know that attacks on major websites may be more profitable, but at the same time the costs and risks are usually also greater. However, with smaller sites, their defenses are usually weaker and an attack is more likely to succeed. Furthermore, competition is one of the major reasons that spurs DDoS attacks. Newcomer businesses may attack established businesses to steal customers, and established businesses may attack newcomers to remove potential competition. Malicious retaliatory attacks might not be concerned with size and scale; they may just want to prove a point. As long as a website is vulnerable, it may suffer a DDoS attack.

Source: http://www.scmagazine.com/understanding-the-ddos-threat/article/376191/

Comments off

Drone Incident Followed By A Massive Hackers’ Attack On Serbian Media

BELGRADE – After the termination of the football match Serbia – Albania, because of a drone with a flag of the so-called “Greater Albania”, a massive hackers’ attack folowed on Serbian media websites, organized by the Albanians, said the president of the Association for Information Security of Serbia Zoran Zivkovic.

“On Tuesday, after 9 pm, websites of all relevant media in our country were targeted by a massive organized hackers’ attack, and only one remained intact,” said Zivkovic for “Vecernje Novosti”. He said that the so-called DDoS attack on Serbian media’s websites was performed with approximately 1.5 million computers around the world, and the Albanians were not able to do it independently, but were able to pay for help. Speaking of the price that the Albanian side had to pay to “someone,” Zivkovic said that the average value of a DDoS attack is 100,000 dollars per hour. He is convinced that the attack was paid to some major hacker organizations, which controll “bots” on millions of computers, whose owners do not know [that their computers are "zombies"], and that the precision of attacks and the selection of targets point that everything was carefully planned. He said the attack lasted several hours and was stronger than 35 gigabits per second, which is unprecedented in our region. Peak of the attack, according to an analysis made by Zivkovic, took place at 9.30 pm, when the “attackers” bombed Serbian media servers with 40 gigabits per second, and only one well-protected site remained intact, while others were blocked, over-flooded.

Source: http://inserbia.info/today/2014/10/drone-incident-followed-by-a-massive-hackers-attack-on-serbian-media/

Comments off

Reflection DDoS Attacks Using Millions of UPnP Devices on the Rise

After successful in launching reflection and amplification Distributed Denial-of-Service (DDoS) attacks by abusing various protocols such as DNS, NTP and SMTP, hackers are now abusing Simple Service Discovery Protocol (SSDP) – part of the UPnP protocol standard – to target home and office devices, researchers warned.
SSDP is a network protocol based on the Internet Protocol Suite that comes enabled on millions of networked devices, such as computers, printers, Internet gateways, Router / Wi-Fi access points, mobile devices, webcams, smart TVs and gaming consoles, to discover each other and automatically establish working configurations that enable data sharing, media streaming, media playback control and other services.
FLAW IN UPnP USED IN AMPLIFICATION DDoS ATTACK
Prolexic Security Engineering & Response Team (PLXsert) at Akamai Technologies have issued a warning that the devices use in residential or small office environments are being co-opted into reflection and amplification distributed denial-of-service (DDoS) attacks since July that abuse communications protocols enabled on UPnP devices.

The rise of reflection attacks involving UPnP devices in an example of how fluid and dynamic the DDoS crime ecosystem can be in identifying, developing and incorporating new resources and attack vectors into its arsenal,” the advisory states. “Further development and refinement of attack payloads and tools is likely in the near future.

The weakness in the Universal Plug-and-Play (UPnP) standard could allow an attacker to compromise millions of its consumer and business devices, which could be conscripted by them to launch an effective DDoS attack on a target.
Attackers have found that Simple Object Access Protocol (SOAP) – protocol used to exchange sensitive information in a decentralized, distributed environment – requests “can be crafted to elicit a response that reflects and amplifies a packet, which can be redirected towards a target.”
This UPnP attack is useful for both reflection attacks, given the number of vulnerable devices, and amplification as researchers estimate that it can magnify attack traffic by a factor of 30, according to the advisory.
OVER 4.1 MILLIONS DEVICES VULNERABLE
According to the security researchers, about 38 percent of the 11 million Internet-facing UPnP devices, i.e. over 4.1 million devices, in use are potentially vulnerable to being used in this type of reflection DDoS attack.

The number of UPnP devices that will behave as open reflectors is vast, and many of them are home-based Internet-enabled devices that are difficult to patch,” said Akamai security business unit senior vice president and general manager Stuart Scholly. “Action from firmware, application and hardware vendors must occur in order to mitigate and manage this threat.”

MAJOR TARGETED COUNTRIES 
South Korea has the largest number of vulnerable devices, followed by the United States, Canada, and China, according to the advisory.
This isn’t the first time when a security flaw in UPnP has allowed attackers to target home and business devices, back in January 2013, a flaw in UPnP exposed more than 50 millions computers, printers and storage drives to attack by hackers remotely.

– See more at: http://thehackernews.com/2014/10/reflection-ddos-attacks-using-millions_16.html#sthash.V2qaGfW0.dpuf

Source: http://thehackernews.com/2014/10/reflection-ddos-attacks-using-millions_16.html

Comments off

ANONYMOUS PLANS ATTACKS ON CHINESE STATE

Hacking group Anonymous plans to launch DDoS attacks.

Online activist group Anonymous has threatened to leak thousands of Chinese Government email addresses and blackout Chinese and Hong Kong Government websites through DDoS attacks, to show its solidarity with the Umbrella Movement.

The group named Operation Hong Kong is planning to launch DDoS attacks on the network by bombarding it with traffic which could result in network crash.

Reuters reported Anonymous as saying in a statement: “Here’s your heads up, prepare for us, try to stop it, the only success you will have will be taking all your sites offline.

“China, you cannot stop us. You should have expected us before abusing your power against the citizens of Hong Kong.”

The online protestors are planning to attack websites belonging to the Ministry of Defense, China’s Ministry of Public Security, Hong Kong police and Ministry of Justice.

Hong Kong Liaison Office reported that its website had already been attacked twice in a week, when visitors were blocked from entering the site, but the website resumed its activity shortly after the outrage.

In a statement given to Reuters China’s Defense Ministry said: “We have taken necessary steps to protect the safe operation of the Defense Ministry website.”

People in Hong Kong have been protesting the Chinese Government’s decision to put restrictions through electoral reforms.

Source: http://www.cbronline.com/news/security/anonymous-plans-attacks-on-chinese-state-4402496

Comments off

DDoS attacks: slow and smart is the order of the day

Whilst the trend for distributed denial of service (DDoS) attacks has been towards larger and larger (aka volumetric) attacks in recent years, a new report just published claims to show that slow-and-low, with smart, short IP bursts, is now a lot more commonplace.

For its third annual set of research, Neustar interviewed IT professionals from around 450 companies, concluding that business are now seeing a more unstable and complex landscape.

Over the last year, says the report, DDoS attacks have evolved in terms of their strategy and tactics, with IT professionals seeing increased media reports of ‘smokescreening’ – where criminals use DDoS attacks to distract IT staff while inserting malware to breach bank accounts and customer data.

More than half of attacked companies reported theft of funds, data or intellectual property. Such cyber-attacks are intense but shorter-lived, more surgical than sustained strikes whose goal is extended downtime.

More than 47 percent of respondents said they viewed DDoS attacks as a greater threat than in 2012, whilst another 44 percent believe the problem is just as serious. In 2013, DDoS continued to cripple websites, shut down operations and cost millions of dollars in downtime, customer service and brand damage.

According to Rodney Joffe, Neustar’s senior technologist, when there’s a tremendous storm, most people run around the house making sure all the windows are closed and you have a flashlight ready.

“You’re not worried about anything else. DDoS attacks are similar. They create an all-hands-on-deck mentality, which is understandable but sometimes dangerous,” he said, adding that with DDoS attacks, the stakes are high, as if you are a criminal, why mess around with extortion when you can just go ahead and steal-and on a much greater scale?

Neustar’s analysis also shows a trend towards shorter DDoS attacks, but also more attacks from 1Gbps to 5Gbps – that is, quicker, more concentrated strikes.

“While it’s too soon to say for sure, this could stem from a highly damaging tactic, DDoS smokescreening,” says the report, adding that smokescreening is used to distract IT staff whilst the criminals grab and clone private data to siphon off funds, intellectual property and more.

Solutions
One solution, concludes the report, is for organisations to install dedicated DDoS protection, as scrambling to find a solution in the midst of an emergency only adds to the chaos-and any intended diversion.

According to Sarb Sembhi, a director of Storm Guidance, the report tracks some interesting trends.

“If you look at large companies suffering attacks, it is clear that the DDoS methodologies being used are getting very sophisticated,” he said, adding that a key aspect is that they are often relatively slow – but smart – in nature.
“With larger companies it is clear that the cyber-criminals are doing their research. They are clearly also testing their technology with smaller companies, and then using those companies’ IT systems as their own assets to launch other attacks,” he said.

Sembhi went on to say that his observations also suggest that larger companies are now starting to install layers of protection – as the report recommends – to remediate against a DDoS attack when it takes place.

Source: http://www.scmagazineuk.com/ddos-attacks-slow-and-smart-is-the-order-of-the-day/article/376283/

Comments off

Older Posts »