Blocking DDoS Archive

Last year there was an odd incident in South Korea, where a widely distributed computer game appeared to be infected with malware (software that secretly uses the PC it is on for criminal activity, including stealing valuable data from the PC it is on). What caught the attention of South Korean military intelligence was the fact that the malware was hidden in every copy of this game and, at one point, many of the 100,000 infected PCs tried to shut down the air traffic control system at a major South Korean airport.

Further investigation revealed that the airport attack was part of a growing Cyber War campaign by North Korea against government and military web sites in South Korea. One of the most disruptive North Korean Cyber War weapons was DDOS (distributed denial of service) attacks. These are carried out by first using a computer virus (often delivered as an email attachment or, in this case, via a game), that installs a secret a Trojan horse type program, that allows someone else to take over that computer remotely, and turn it into a “zombie” for spamming, stealing, monitoring or DDOS attacks to shut down another site. There are millions of zombie PCs out there, and these can be rented, either form spamming or lunching DDOS attacks. Anyone with about $100,000 in cash, including North Korea, could carry out attacks. You can equip a web site to resist, or even brush off, a DDOS attack, and some of those attacked ware prepared. But others were not. The South Korea airport was disrupted for several hours.

Last year was the third time since 2009 that someone, apparently North Korea, has launched DDOS attacks, and attempted to hack into South Korean networks. But part of this latest DDOS effort was carried out by a North Korean botnet of zombie PCs obtained by selling the malware infected games. Further investigation found that the South Korean creator of the games had been financed by North Korea agents, who provided the malware payload. These games were made available for sale on South Korean web sites. Police are still inspecting the malware, which may have been stealing data from infected PCs, in addition to be part of a botnet of PCs used for DDOS attacks.

Source: http://www.strategypage.com/htmw/htiw/articles/20120607.aspx

By Brian Bloom, ComputerWorld Canada

May 29, 2012, 8:53 PM — Depending on how unscrupulous your business practices are, a denial-of-service attack can give you a competitive advantage. From keeping competitors offline to engaging in outright extortion, there are organizations (some more obviously criminal than others) now using DDoS attacks to make big money.

For those on the receiving end, DDoS attacks are expensive. If you want to avoid losing a lot of money, it pays to be insured. And it’s better to get your protection from the good guys.

Corero Network Security is a company that fits into a small but growing sector of the information security community. It looks at ways to combat the increasingly sophisticated — and often untraceable — denial-of-service attacks targeting organizations of all kinds. The company says the bulk of the attacks today are not the spectacular, ideology-driven kinds that grab headlines.

“Most of the attacks, we know, involve things like unfair competition,” says Neil Roiter, research director of Corero Network Security Inc. “In other words, another company in your own market, your own sector, hitting you to knock you offline, to chase away customers, to lure customers to their own site.”

Roiter adds that when Corero surveyed companies in the U.S. subjected to DDoS attack, more than half believed they had been targeted by the competition. Then there are other attacks: ones that are essentially information age protection rackets.

“It’s like the old protection racket where guys come into your shop, your store, like in the movies and they say, ‘You have a nice place here. It would be a shame if something bad happened to it. Or happened to you.’

“You’ll get an email or phone call saying, ‘Pay us $50,000 by such and such a time, transfer it to this account, or we’re going to knock your site offline.'”

At first glance, Canada appears to have avoided the scourge of these sorts of “professional” DDoS attacks. David Black, manager of the RCMP technology crime branch’s cyber crime fusion team, says he hasn’t encountered many cases of DDoS extortion in Canada, though the threat is certainly present.

“Any company is vulnerable to this, in a sense,” says Black. “If their business depends on 24/7 network connection, extortion could be a reality.”

He adds that it’s “very rare” to catch a company knocking down a competitor’s site in Canada. But again, he cautions that this doesn’t mean they won’t occur in the future.

“We are at high risk, don’t get me wrong,” Black says. “Just the examples aren’t there.”

But Roiter suggests there may plenty of examples that the police simply don’t know about. Extortion, he says, is a crime that usually goes unreported, making it impossible to know how prevalent it is. While countries do differ in terms of the types of DDoS attacks they experience, certain industries are magnets for these types of crimes, Roiter says. He notes, for example, that Canada has a “healthy online gambling industry.”

“Gambling sites are very popular targets. There’s a lot of that that goes on in online gambling. And usually they’ll pay the ransom. Think of it this way: somebody gives you that call before World Cup match when you know you’re going to be doing hundreds of thousands, maybe a million dollars in business, and they say, ‘pay us $50,000′ or ‘£30,000′ or whatever it is. You’re going to pay.”

Roiter says part of the reason that companies are forced to give into criminals’ demands is not necessarily that they haven’t taken protective measures, but that they haven’t taken the right ones. They may be protected from network-based attacks and aren’t ready for the newer application-level attacks.

“The networking flooding attacks, the SYN flood, the UDP attacks, the ICMP attacks, those sorts of things are becoming less prevalent, and application-layer attacks, which use far less bandwidth and are much harder to detect and mitigate, are becoming dominant.”

To combat such attacks, Corero’s security platform uses analysis to examine whether a protocol is behaving properly and a rate-limiting technique that assigns it either a credit or demerit point. With enough demerits, the system will perceive a threat and immediately block it off.

The company has more than 20 major Canadian clients, including financial and government institutions. Dave Millier, CEO of Toronto-based Sentry Metrics Inc., says his company was the primary reseller for Top Layer Networks Inc., a company Corero acquired in 2011 that was one of the biggest players in the DDoS market.

Millier says in general, Corero’s “claim to fame” in preventing DDoS attacks is their ability to ensure business continuity in the midst of an attack. “They can sustain multi-hundred megabit attacks, while still allowing acceptable performance of the Web services that are running on the systems inside the network itself.”

This is accomplished by placing the Corero boxes outside of the network and firewall to identify and block threats more quickly. “All the data still comes to the Corero box, but it’s intelligent enough to actually in effect drop the connections before they ever get to the devices that are trying to be connected to.”

From the RCMP’s perspective, says Black, one of the best ways to combat DDoS crime in Canada is to seek guidance from the Canadian Cyber Incident Response Centre (CCIRC). Businesses can also report cyber threat incidents to the Centre. And as they increase, it will play an increasingly important role, he says.

“As this business grows and matures, for advice on how to prevent … (that’s) a great role for CCIRC,” he says.

Source: http://www.itworld.com/security/279089/new-ddos-silent-organized-and-profitable

NEW DELHI: A day after messing with servers maintained by Reliance Communications, Anonymous, an international hacker collective, defaced two websites belonging to BJP on Sunday. Through its Twitter account (@opindia_back) it announced thatwww.mumbaibjp.org and www.bjpmp.org.in were hacked by the group. After the hacking, the group posted a message to web users, asking them to organize protests against “web censorship” in India on June 9.

While the message was displayed on the homepage of www.mumbaibjp.org, on www.bjpmp.org.in it was inserted as a page at bjpmp.org.in/ads/anon.html. On Mumbai BJP website the message was accompanied by a catchy tune embedded through a YouTube link.

“Today they took away your right to use a few websites… day after tomorrow they will take away your freedom of speech and no one will be there to speak for you. Speak Now or Never,” the message read. The hackers said that people should print out or buy Guy Fawkes Masks and wear them while protesting against web censorship in Bangalore, Mangalore, Kochi, Chennai, Vizag, Delhi, Mumbai and Hyderabad on June 9.

TOI reached out to Anonymous though Twitter, asking why it defaced BJP websites. “”Just needed a website to display our message,” said the person managing @opindia_back.

The Ion, who is likely a part of Anonymous and who uses @ProHaxor alias on Twitter, added, “BJP are the opposition they should have stopped this or should have organised a protest they did not do any.”

Incidentally, CERT-IN, the nodal agency in India for monitoring security and hacking incidents within the country’s cyberspace, said in a report on Sunday that hackers are targeting Indian websites. “It is observed that some hacker groups are launching Distributed Denial of Service (DDoS) attacks on websites of government and private organizations in India,” the report said and asked network administrators to keep vigil.

Anonymous started attacking websites belonging to government agencies and companies like Reliance Communications last week after internet service providers blocked several websites in the country on the basis of an order by Madras high court. Anonymous says the blocking of websites is illegal and suppression of freedom of speech. On Friday it held a virtual ‘press conference’ and released a list of websites that were allegedly blocked on the internet service provided by Reliance Communications even though there was no legal requirement for the ISP to do so. The hackers said they stole the list from Reliance’ servers. At the same ‘press briefing’ the group called on Indian people to organize protests against web censorship on June 9.

In the last few months, Anonymous has organized or played a dominant role in real world protests against what it perceives censorship and abuse of power. The most popular of these protests has been Occupy Wall Street in the US. Though there were a number of groups and individuals involved in these protests Anonymous had played a key role in spreading the word.

Source: http://timesofindia.indiatimes.com/tech/news/internet/Anonymous-hacks-BJP-websites-wants-people-to-protest-against-web-censorship/articleshow/13576173.cms

More than half of US businesses still rely on conventional firewalls or intrusion prevention systems to shield themselves from the scourge of DDoS attacks, a survey by services firm Neustar has found.

By John E Dunn

Techworld — More than half of US businesses still rely on conventional firewalls or intrusion prevention systems to shield themselves from the scourge of DDoS attacks, a survey by services firm Neustar has found.

The survey of 1,000 US-based IT professionals across a range of industries found that only 3 percent were using DDoS mitigation systems or services, with a quarter claiming they had no protection whatsoever against the threat.

Eleven percent used intrusion detection/prevention systems even though such technology is (in common with firewalls, routers and switches) widely seen as an inadequate defence against contemporary DDoS bombardment, Neustar said.

“Experts point out that during DDoS attacks these ‘defences’ become part of the problem. They quickly become bottlenecks, helping achieve an attacker’s goal of slowing or shutting you down. Moreover, firewalls won’t repel attacks on the application layer, an increasingly popular DDoS vector,” the authors note.

A third of those questioned said DDoS attacks lasted for a day or more with 11 percent mentioning over a week.

There didn’t appear to be any clear pattern that related attack length to industry segment, except that the travel industry appeared slightly more vulnerable to attacks lasting longer than 24 hours.

Two thirds said the direct cost of all this DDoS was about $10,000 (APS6,200) per hour or $240,000 per day, with 13 percent reckoning it as being $100,000 per hour.

The most vulnerable to high costs was retail, a sector that depends on online sales to generate cashflow, followed by finance.

The main anxiety in advance of DDoS attacks was the negative impact on customers, ahead of brand reputation damage and even direct costs.

Companies such as Neustar have a vested interest in talking up the difficulty of dealing with DDoS the better to market protection services.

However, the company said it accepted that there was no simple answer to countering DDoS attacks; even the best protection systems available still required trained, skilled staff to deploy and manage them.

“With attacks becoming more sophisticated – mixing brute-force bandwidth assaults and surgical strikes on applications – in-depth knowledge and experience make a huge difference. There is no ‘magic box’ that can out-think attackers on its own.”

The company markets its own cloud-based mitigation service, SiteProtect. Three years ago its UltraDNS service was itself the victim of a DDoS attack.

Source: http://www.cio.com/article/706594/U.S._Firms_Over_Reliant_on_Firewalls_to_Defend_Against_DDoS_Attacks?taxonomyId=3089

15/05/2012

Information Commissioner’s Office’s website appears to be latest target of hacktivists

Privacy watchdog appears to be under Distributed Denial of Service attack

Update: The ICO has just released this statement about the DDOS attack it is suffering.

ICO spokesperson said:”Access to the ICO website has been disrupted over the past few days. We believe this is due to a distributed denial of service attack.

“The website itself has not been damaged, but people have been unable to access it. We provide a public facing website which contains no sensitive information.

“We regret this disruption to our service and we are working to try to bring the website back online as soon as possible.

“As mentioned it seems to be intermittently available at the moment and our web team our working to resolve the problem.”

Hackers appear to have launched a Distributed Denial of Service (DDOS) attack against the website of the Information Commissioner’s Office.

The site is currently offline and when we called to verify if this was the case, a representative for the ICO told us at 9.55am that it was going into a meeting to discuss the situation. The privacy watchdog said it would release an update when it had some news.

However we were told that it was hoped that the site would be back online soon.

If it is indeed a DDOS attack, it is not known who may behind it or why. But the last week has seen a spate of these attacks including those against internet service providers’ (ISPs) sites, including Virgin Media and Talk Talk, which have been targeted recently by strands of the Anonymous group.

They were protesting against the ISPs blocking customer access to file-sharing site The Pirate Bay.

André Stewart, President International at Corero Network Security said: “The takedown of the Information Commissioner’s Office website by an apparent Distributed Denial of Service attack is, once again, evidence that Government organisations need to be better prepared for the growing threat from cybercrime carried out by politically or ideologically motivated hacktivists.”

Source: http://www.computeractive.co.uk/ca/news/2174709/information-commissioners-office-website-goes-offline-suspected-ddos-attack