Blocking DDoS Archive

The issue impacts users of the vendor’s Cloud WAF product.

Imperva, the security vendor, has made a security breach public that affects customers using the Cloud Web Application Firewall (WAF) product.

Formerly known as Incapsula, the Cloud WAF analyzes requests coming into applications, and flags or blocks suspicious and malicious activity.

Users’ emails and hashed and salted passwords were exposed, and some customers’ API keys and SSL certificates were also impacted. The latter are particularly concerning, given that they would allow an attacker to break companies’ encryption and access corporate applications directly.

Imperva has implemented password resets and 90-day password expiration for the product in the wake of the incident.

Imperva said in a website notice that they learned about the exposure via a third party on August 20. However, the affected customer database contained old Incapsula records that go up to Sept. 15, 2017 only.

imperva

“We profoundly regret that this incident occurred and will continue to share updates going forward,” Imperva noted. “In addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry. We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”

Imperva also said that it “informed the appropriate global regulatory agencies” and is in the process of notifying affected customers directly.

When asked for more details (such as if this is a misconfiguration issue or a hack, where the database resided and how many customers are affected), Imperva told Threatpost that it is not able to provide more information for now.

Source: https://threatpost.com/imperva-firewall-breach-api-keys-ssl-certificates/147743/

As per Eric Muntz from Keone Software, malware and data breaches are not the only risks website owners face these days. DDoS attacks can be devastating enough to destroy your business. Read this post to find about major DDoS attacks.

The GitHub attack of 2018

The GitHub attack of 2018 remains the largest DDoS attacks of all times and targeted at GitHub that is a popular site for code management on the internet. The attack reached heights when it commenced at a rate of 1.3Tbps and sent packets at a rate of 126.9 million per second. In this attack, there were no bonnets involved and the attackers took resort to amplification effect of the database coaching system known as Memcached. GitHub, learning from its previous attack in 2015 was using a DDoS security system and was alerted within 10 minutes of the attack and let the attack last for only twenty minutes.

The Dyn Attack

The Dyn attack which took place on October 2016 was initiated by a DNS operator and aimed at dismantling and disintegrating the major websites that included PayPal, Amazon, Airbnb, Visa, The New York Times, Netflix, GitHub, and Reddit. The malware that was primarily used to achieve this target is known by the name Mirai that is capable of creating botnet from the vulnerable devices that are linked to the internet such as webcams, printers, monitors and others of the same genre. To launch the attack, all these devices were programmed to provide requests to one single victim at a time. The attack did not last long and Dyn bounced back from its clutches within a single day.

The Mafiaboy attack

The Mafiaboy attack was launched in 2000 by a boy of fifteen years only who came to be known as mafiaboy and here’s where the name came from. The websites that were attacked included eBay, Yahoo, Dell, CNN, E-trade which formed to be the group of the major search engines of that time. This attack did not only disrupt the major internet services but also brought about havoc loss in the stock market. The cybercrime laws that exist today came into being after this DDos attack.

The Spamhaus Attack

The Spamhaus attack was conducted in 2013 and is hailed as one of the most dangerous and largest attacks. Spamhaus, as the first part of the name, suggests is an organization that helps to recognize and filter the spam e-mails received by a user because of which they stand as the most targeted company by the hackers who have the intention to launch their attacks through spam e-mails. The attack was conducted with a speed of 300gbps and immediately after the process began, Spamhaus signed up for Cloudware’s DDoS protection which played a major role in saving the organization. Even though it was unable to cause major impacts, but still dilapidated the normal functioning of LINX and London Internet Exchange.

The GitHub Attack

This 2015 DDos attack was mainly focused on GitHub and researches have proved that this move was encouraged as a result of political rivalry; this one of those attacks that lasted for a while and adapted itself with the already existing DDoS mitigation strategies of GitHub. The attack was brought about to be injecting unknown JavaScript codes into browsers of users who browsed through China’s most famous search engine, Baidu. The sites that were using Baidu were also infected by this malicious code and were meant to send HTTP requests to GitHub pages.

Source: https://baltimorepostexaminer.com/top-5-ddos-attacks-of-all-times/2019/08/19

In July 1999, a set of computers infected with the Trin00 malware attacked and took down the network of the University of Minnesota. The episode marked the first recorded case of a distributed-denial-of-service (DDoS) attack.

20 years later, DDoS has evolved into one of the most serious security threats from the arsenal of both cybercrime gangs and nation-state actors.

What is DDoS?

As the name implies, the goal of DDoS attacks is to prevent the target website from providing service to its users by flooding its servers with bogus traffic and starving its resources.

Before engaging in DDoS, attackers typically assemble a “botnet”. Botnets are sets of computers compromised with a malware that enables the attacker, the “bot master,” to send them remote commands. After assembling their army of zombie devices, bot masters can launch DDoS attacks by commanding their botnet to simultaneously send fake requests to the target.

With a strong enough botnet, an attacker can overwhelm the targeted server and cause it to crash, preventing it from  responding to requests from legitimate users.

Threat evolution

Since the attack against the University of Minnesota, DDoS assaults by criminals have accounted for massive financial losses and damage to the reputation of targeted organizations.

In the past year alone, web hosting and content delivery giant Akamai recorded hundreds of DDoS attacks per week. A recent report by cybersecurity vendor Kaspersky Labs also found an 84% increase in the number of DDoS attacks in the first quarter of 2019, The Daily Swig reported.

Aside from frequency, DDoS attacks have grown in size and extent of damage that they can cause.

Domingo Ponce, director of global security operations at Akamai, has been on the front line of fighting DDoS for over ten years.

“When I started, we were protecting against hacktivism (like Anonymous), script kitties, and companies attacking each other (shady gambling sites),” he told The Daily Swig.

“Now DDoS is all grown up – attacks are state-sponsored, large criminal syndicates are involved, and DDoS is a very significant revenue-based black market industry.”

IoT insecurity fuels the fire

The expansion of the Internet of Things (IoT) has played a major role in the recent growth of DDoS attacks. Many of these devices forgo security because of reliance on default credentials, making them easy game for botnet viruses.

“Mirai was a turning point highlighting the power of DDoS botnets comprised of IoT devices,” Patrick Sullivan, Akamai’s senior director of security strategy, told The Daily Swig.

The Mirai botnet was behind a major DDoS attack against DNS provider Dyn, which caused a major internet outage in October 2016. The botnet comprised a large number of internet-connected cameras, home routers, and baby monitors.

“Not only do the sheer number of vulnerable IoT devices present a challenge, but attacker willingness to use these bots to perform Application Layer Attacks leads to higher levels of sophistication,” Sullivan said.

Protect and survive

Shortly after the Dyn attack in 2016, the hackers behind the Mirai botnet declared they would rent out their massive botnet for $7,500, marking the rise in DDoS-as-a-service, where cybercriminals need little or not technical knowledge to implement an attack.

The spread of DDoS attacks has also given rise to a market for DDoS mitigation.

“The only viable option is to deploy mitigation in even more distributed architectures,” Akamai’s Sullivan said.

“Even a massively scalable cloud solution deployed to a small number of locations and ISPs will struggle to contain the truly massive attacks. Peering points aren’t designed to handle huge spikes in traffic, and congestion will occur before traffic can route to mitigation points.”

Source:https://portswigger.net/daily-swig/20-years-of-ddos-attacks-what-has-changed

Despite a recent crackdown by the Federal Bureau of Investigation (FBI), there has been a more than 400% increase in the volume of attacks being launched via DDoS-for-hire sites in the last quarter. That’s according to a new report from Nexusguard, a provider of a cloud service for combatting distributed denial of service (DDoS) attacks.

The “Nexusguard Q1 2019 Threat Report” also notes that DDoS attacks smaller than 1Gbps are becoming more automated and targeted at specific organizations. For example, 17% of all the DDoS attacks launched in Brazil in the last quarter were aimed at one specific banking institution, the report finds.

Donny Chong, product director for enterprise cybersecurity at Nexusguard, said the DDoS-for-hire sites that were taken down last year are now being replaced. The number of DDoS-for-hire websites being tracked by NexusGuard has doubled year over year.

The Nexusguard report also finds this latest generation of DDoS-for-hire cybercriminals is more adept at compromising mobile computing devices to launch their attacks. Botnets employed by these sites have been able to launch attacks lasting more than 40,000 minutes at a time, or more than 27 days, the report finds. In addition to leveraging mobile computing devices, DDoS-for-hire sites are starting to leverage billions of poorly protected internet-of-things (IoT) devices, he said.

Chong noted the latest iteration of DDoS-for-hire websites appears to be trying to fly under the radar of law enforcement. Rather than launching massive attacks, cybercriminals are employing the threat of a DDoS attack to extort payments from organizations both large and small.

At a time when organizations depend heavily on websites to generate revenue, DDoS attacks can have a much bigger financial impact on organizations.

In general, DNS attacks come in a variety of forms, including:

  • Domain hijacking, which results in DNS servers and domain registrar redirecting traffic away from the original servers to new destinations.
  • DNS hijacking (also known as DNS redirection), which involves malware being employed to, for example, alter the TCP/IP configurations so they can point to another DNS server, which will then redirect traffic to a fake website.
  • DNS flooding, which is a distributed denial-of-service (DDoS) attack that seeks to overload a DNS server to the point where it can no longer process requests.
  • Distributed reflection denial-of-service (DRDoS) attacks, which spoof the source address of the DNS service and results in machines replying back and forth until the DNS server becomes flooded.
  • DNS tunneling, which makes use of encoded data from other applications to compromise DNS responses and queries.
  • Random subdomain attacks, which involve sending a lot of DNS queries via compromised systems against a valid and existing domain name.

While there may be no way to terminate every DDoS attack, the good news is organizations at the very least are getting more adept at mitigating them.

Source: https://securityboulevard.com/2019/07/ddos-for-hire-sites-bounce-back/

A botnet of over 400,000 IoT devices held a 13-day distributed denial-of-service (DDoS) siege against the streaming app of a company in the entertainment business.

Directed at the authentication component, the attack started around April 24 and hit with as many as 292,000 requests per second (RPS) at its peak, making it one of the largest Layer 7 DDoS strikes.

It held a constant rate above 100,000 requests and the adversary kept the flow well over 200,000

A Layer 7 (application layer) DDoS attack is not meant to exhaust the internet connection bandwidth, as is the case with volume-based attacks (e.g. UDP, ICMP floods), or a system’s resources (SYN flood). Since the target is an application, the intent is to hit it with so many GET/POST requests that the server crashes.

DDoS mitigation company Imperva held the service running for the entire duration of the attack, observing requests from 402,000 different IP addresses.

Most of the attacking devices were located in Brazil, the company says in a report today, noting that this was the largest Layer 7 DDoS assaults it dealt with.

Spikes as high as 300,000 RPS have been observed in the past. In 2017, the website for the Russian newspaper Meduza was a target of a DDoS attack with requests above the volume observed by Imperva.

Because the attacker also focused on the authentication component of the service, the intent remains unclear in the incident handled by Imperva. The botnet’s main goal may have been testing credentials on the service by brute-forcing the login.

However, this large a volume of requests can lead to a denial-of-service condition when no proper mitigation solutions were in place.

“The attackers used a legitimate User-Agent, the same as used by the entertainment industry customer service application, to mask their attack.” – Imperva’s Vitaly Simonovich

Linking this activity to an IoT botnet was possible by looking at the ports used. Imperva saw that most of the devices sending the requests had ports 7547 and 2000 open.

Port 7547 is a standard one for the Customer Premises Equipment WAN Management Protocol (CWMP) – intended for auto-configuration and remote management of home routers, modems, and other CPEs.

Port 2000 is also linked to routers, MikroTik in particular, as it is used on these devices for the bandwidth test server protocol.

Requests may seem benign

Layer 7 DDoS attacks can be difficult to defend against because applications are designed to accept requests from users and serve them resources.

In this case, the adversary also used the same user agent as the service’s application and targeted the authentication component.

Distinguishing the malicious connections from the botnet became more difficult because the requests came from distinct systems and were for legitimate action.

Furthermore, brute-force protection would not work in this instance, since there were so many bots that could try different credentials. When the limit would be reached, the bot could take a break and then resume activity.

This technique has been named “low and slow” exactly because it takes longer for the adversary to achieve their goal, but it is also harder to defend against since it mimics the activity of a legitimate user.

Source: https://www.bleepingcomputer.com/news/security/streaming-service-suffers-13-day-ddos-siege-by-iot-botnet/