Various implementations of HTTP/2, the latest version of the HTTP network protocol, have been found vulnerable to multiple security vulnerabilities affecting the most popular web server software, including Apache, Microsoft’s IIS, and NGINX.

Launched in May 2015, HTTP/2 has been designed for better security and improved online experience by speeding up page loads. Today, over hundreds of millions of websites, or some 40 percent of all the sites on the Internet, are running using HTTP/2 protocol.

A total of eight high-severity HTTP/2 vulnerabilities, seven discovered by Jonathan Looney of Netflix and one by Piotr Sikora of Google, exist due to resource exhaustion when handling malicious input, allowing a client to overload server’s queue management code.

The vulnerabilities can be exploited to launch Denial of Service (DoS) attacks against millions of online services and websites that are running on a web server with the vulnerable implementation of HTTP/2, knocking them offline for everyone.

The attack scenario, in layman’s terms, is that a malicious client asks a targeted vulnerable server to do something which generates a response, but then the client refuses to read the response, forcing it to consume excessive memory and CPU while processing requests.

“These flaws allow a small number of low bandwidth malicious sessions to prevent connection participants from doing additional work. These attacks are likely to exhaust resources such that other connections or processes on the same machine may also be impacted or crash,” Netflix explains in an advisory released Tuesday.

Most of the below-listed vulnerabilities work at the HTTP/2 transport layer:

  1. CVE-2019-9511 — HTTP/2 “Data Dribble”
  2. CVE-2019-9512 — HTTP/2 “Ping Flood”
  3. CVE-2019-9513 — HTTP/2 “Resource Loop”
  4. CVE-2019-9514 — HTTP/2 “Reset Flood”
  5. CVE-2019-9515 — HTTP/2 “Settings Flood”
  6. CVE-2019-9516 — HTTP/2 “0-Length Headers Leak”
  7. CVE-2017-9517 — HTTP/2 “Internal Data Buffering”
  8. CVE-2019-9518 — HTTP/2 “Request Data/Header Flood”

“Some are efficient enough that a single end-system could potentially cause havoc on multiple servers. Other attacks are less efficient; however, even less efficient attacks can open the door for DDoS attacks which are difficult to detect and block,” the advisory states.

However, it should be noted that the vulnerabilities can only be used to cause a DoS condition and do not allow attackers to compromise the confidentiality or integrity of the data contained within the vulnerable servers.

Netflix security team, who teamed up with Google and CERT Coordination Center to disclose the reported HTTP/2 flaws, discovered seven out of eight vulnerabilities in several HTTP/2 server implementations in May 2019 and responsibly reported them to each of the affected vendors and maintainers.

According to CERT, affected vendors include NGINX, Apache, H2O, Nghttp2, Microsoft (IIS), Cloudflare, Akamai, Apple (SwiftNIO), Amazon, Facebook (Proxygen), Node.js, and Envoy proxy, many of which have already released security patches and advisories.

Source: https://thehackernews.com/2019/08/http2-dos-vulnerability.html

In July 1999, a set of computers infected with the Trin00 malware attacked and took down the network of the University of Minnesota. The episode marked the first recorded case of a distributed-denial-of-service (DDoS) attack.

20 years later, DDoS has evolved into one of the most serious security threats from the arsenal of both cybercrime gangs and nation-state actors.

What is DDoS?

As the name implies, the goal of DDoS attacks is to prevent the target website from providing service to its users by flooding its servers with bogus traffic and starving its resources.

Before engaging in DDoS, attackers typically assemble a “botnet”. Botnets are sets of computers compromised with a malware that enables the attacker, the “bot master,” to send them remote commands. After assembling their army of zombie devices, bot masters can launch DDoS attacks by commanding their botnet to simultaneously send fake requests to the target.

With a strong enough botnet, an attacker can overwhelm the targeted server and cause it to crash, preventing it from  responding to requests from legitimate users.

Threat evolution

Since the attack against the University of Minnesota, DDoS assaults by criminals have accounted for massive financial losses and damage to the reputation of targeted organizations.

In the past year alone, web hosting and content delivery giant Akamai recorded hundreds of DDoS attacks per week. A recent report by cybersecurity vendor Kaspersky Labs also found an 84% increase in the number of DDoS attacks in the first quarter of 2019, The Daily Swig reported.

Aside from frequency, DDoS attacks have grown in size and extent of damage that they can cause.

Domingo Ponce, director of global security operations at Akamai, has been on the front line of fighting DDoS for over ten years.

“When I started, we were protecting against hacktivism (like Anonymous), script kitties, and companies attacking each other (shady gambling sites),” he told The Daily Swig.

“Now DDoS is all grown up – attacks are state-sponsored, large criminal syndicates are involved, and DDoS is a very significant revenue-based black market industry.”

IoT insecurity fuels the fire

The expansion of the Internet of Things (IoT) has played a major role in the recent growth of DDoS attacks. Many of these devices forgo security because of reliance on default credentials, making them easy game for botnet viruses.

“Mirai was a turning point highlighting the power of DDoS botnets comprised of IoT devices,” Patrick Sullivan, Akamai’s senior director of security strategy, told The Daily Swig.

The Mirai botnet was behind a major DDoS attack against DNS provider Dyn, which caused a major internet outage in October 2016. The botnet comprised a large number of internet-connected cameras, home routers, and baby monitors.

“Not only do the sheer number of vulnerable IoT devices present a challenge, but attacker willingness to use these bots to perform Application Layer Attacks leads to higher levels of sophistication,” Sullivan said.

Protect and survive

Shortly after the Dyn attack in 2016, the hackers behind the Mirai botnet declared they would rent out their massive botnet for $7,500, marking the rise in DDoS-as-a-service, where cybercriminals need little or not technical knowledge to implement an attack.

The spread of DDoS attacks has also given rise to a market for DDoS mitigation.

“The only viable option is to deploy mitigation in even more distributed architectures,” Akamai’s Sullivan said.

“Even a massively scalable cloud solution deployed to a small number of locations and ISPs will struggle to contain the truly massive attacks. Peering points aren’t designed to handle huge spikes in traffic, and congestion will occur before traffic can route to mitigation points.”

Source:https://portswigger.net/daily-swig/20-years-of-ddos-attacks-what-has-changed

The number of DDoS attacks detected by Kaspersky jumped 18% year-on-year in the second quarter, according to the latest figures from the Russian AV vendor.

Although the number of detected attacks was down 44% from Q1, the vendor claimed that this seasonal change is normal as activity often dips in late spring and summer. However, the spike was even bigger when compared to the same period in 2017: an increase of 25%.

Application attacks, which the firm said are harder to defend against, increased by a third (32%) in Q2 2019 and now constitute nearly half (46%) of all detected attacks. The latter figure is up 9% from Q1 2019, and 15% from Q2 2018.

Crucially, the seasonal drop in attacks has barely touched targeting of the application layer, which fell just 4% from the previous quarter.

These attacks are difficult to detect and stop as they typically include legitimate requests, the firm said.

“Traditionally, troublemakers who conduct DDoS attacks for fun go on holiday during the summer and give up their activity until September. However, the statistics for this quarter show that professional attackers, who perform complex DDoS attacks, are working hard even over the summer months,” explained Alexey Kiselev, business development manager for the Kaspersky DDoS Protection team.

“This trend is rather worrying for businesses. Many are well protected against high volumes of junk traffic, but DDoS attacks on the application layer require them to identify illegitimate activity even if its volume is low. We therefore recommend that businesses ensure their DDoS protection solutions are ready to withstand these complex attacks.”

Kaspersky also recorded the longest DDoS attack since it started monitoring botnet activity in 2015. Analysis of commands received by bots from command and control (C&C) servers revealed one in Q2 2019 lasting 509 hours, which is nearly 21 days. The previous longest attack, observed in Q4 2018, lasted 329 hours.

Source: https://www.infosecurity-magazine.com/news/ddos-attacks-jump-18-yoy-in-q2/

With cyber crime on a meteoric rise, organisations in 2019 have to pay extra attention to cyber security trends such as increased cloud security, vulnerable Internet of Things networks, and phishing practices

A recent report on cyber crime estimated that hackers could have made as much as 45 billion from their illicit activities in 2018. The staggering number is yet another wake-up call for organisations worldwide to take their cyber security measures seriously and pivot them around three main trends of 2019.

These are the cyber security trends that are must-know for any organisation this year.

Increased attacks on clouds

The rise of cloud computing as a go-to network infrastructure solution among an increasing number of businesses is barely news, but organisations using the cloud still pay insufficient attention to the safety of their data.

“As a cloud provider, we are aware of the rising number in DDoS attacks globally, as well as other attempts to breach the security of the cloud,” commented Vincentas Grinius, CEO of Heficed, a cloud, dedicated server and IP address provider. “Per usual, the more access points are available within a platform or data stored on the cloud, the higher the risk. If using third-party party solutions, enterprises need to pay extra attention to securing their data. When it comes to the cloud providers, their customers need to make sure that their provider is putting the effort in properly segmenting their servers, so that an attack on one customer wouldn’t compromise the whole platform.”

Vulnerability of IoT Networks

Another IT industry on a steady rise is the Internet of Things (IoT), which is forecasted to double by 2021 and reach 520 billion. Naturally, the growth of this magnitude is leading to a growing number of cybersecurity incidents due to an increasing number of poorly secured IoT devices. Apparently, it is not only the devices themselves who could fall victim to malicious activities – the networks that devices are connected to are increasingly at risk, too.

“From a network infrastructure point of view, every connected device might be a potential threat,” added Grinius. “Phones, smartwatches, even smart home appliances, among other devices, might be used as access points and compromise whole networks. If the users do not update their devices regularly and take other precautions, they could be responsible, even without knowing, for enabling potentially damaging network-wide cyber security threats.”

Dangers of Phishing

Widely discussed phishing attacks remain one of the most widespread threats to data safety in 2019. As Verizon’s report on data breach estimates, 32% of all data breaches in 2018 were connected to phishing of some sorts. What is particularly challenging about phishing is that it is not only about cyber security solutions from the system’s side – a large part of phishing success is due to human error.

“To successfully tackle phishing, companies will have to invest in tools that monitor employees’ email traffic more closely, in making sure the systems used are always updated, and in cybersecurity training plans that would make employees aware of the threats and how to behave when confronted by them. A training plan like this could include a phishing simulator and constantly updating the employees on new phishing methods,” finished Grinius.

With cyber crime being such a lucrative niche for criminals worldwide, these trends are just a few of the many that might jeopardise enterprises. Regardless of how the cyberthreats will evolve in the future, businesses will need to invest additional resources in protecting their data.

Source: https://www.openaccessgovernment.org/cyber-security-trends/70219/

Despite a recent crackdown by the Federal Bureau of Investigation (FBI), there has been a more than 400% increase in the volume of attacks being launched via DDoS-for-hire sites in the last quarter. That’s according to a new report from Nexusguard, a provider of a cloud service for combatting distributed denial of service (DDoS) attacks.

The “Nexusguard Q1 2019 Threat Report” also notes that DDoS attacks smaller than 1Gbps are becoming more automated and targeted at specific organizations. For example, 17% of all the DDoS attacks launched in Brazil in the last quarter were aimed at one specific banking institution, the report finds.

Donny Chong, product director for enterprise cybersecurity at Nexusguard, said the DDoS-for-hire sites that were taken down last year are now being replaced. The number of DDoS-for-hire websites being tracked by NexusGuard has doubled year over year.

The Nexusguard report also finds this latest generation of DDoS-for-hire cybercriminals is more adept at compromising mobile computing devices to launch their attacks. Botnets employed by these sites have been able to launch attacks lasting more than 40,000 minutes at a time, or more than 27 days, the report finds. In addition to leveraging mobile computing devices, DDoS-for-hire sites are starting to leverage billions of poorly protected internet-of-things (IoT) devices, he said.

Chong noted the latest iteration of DDoS-for-hire websites appears to be trying to fly under the radar of law enforcement. Rather than launching massive attacks, cybercriminals are employing the threat of a DDoS attack to extort payments from organizations both large and small.

At a time when organizations depend heavily on websites to generate revenue, DDoS attacks can have a much bigger financial impact on organizations.

In general, DNS attacks come in a variety of forms, including:

  • Domain hijacking, which results in DNS servers and domain registrar redirecting traffic away from the original servers to new destinations.
  • DNS hijacking (also known as DNS redirection), which involves malware being employed to, for example, alter the TCP/IP configurations so they can point to another DNS server, which will then redirect traffic to a fake website.
  • DNS flooding, which is a distributed denial-of-service (DDoS) attack that seeks to overload a DNS server to the point where it can no longer process requests.
  • Distributed reflection denial-of-service (DRDoS) attacks, which spoof the source address of the DNS service and results in machines replying back and forth until the DNS server becomes flooded.
  • DNS tunneling, which makes use of encoded data from other applications to compromise DNS responses and queries.
  • Random subdomain attacks, which involve sending a lot of DNS queries via compromised systems against a valid and existing domain name.

While there may be no way to terminate every DDoS attack, the good news is organizations at the very least are getting more adept at mitigating them.

Source: https://securityboulevard.com/2019/07/ddos-for-hire-sites-bounce-back/