Blocking DDoS Archive

It’s impossible to predict when distributed denial of service (DDOS) attacks will hit so companies must take measures to mitigate such an incident.

So says Martin Walshaw, senior engineer at F5 Networks, who notes barely a month goes by without media reports of a Web site or service being brought down by a DDOS attack. Sony’s PlayStation Network again became the victim of such an attack recently, while hacking group Anonymous is on a disabling offensive of extremist Web sites, he says.

According to research conducted by B2B International and Kaspersky Lab, 38% of companies providing online services, such as online shopping and online media, fell victim to DDOS attacks over the past 12 months.

Doros Hadjizenonos, sales manager at Check Point Technologies in SA, says DDOS criminal activity was used to attack the Web sites of various gaming platforms last year. This attack involves many computers continuously requesting certain information from the attacked network until saturation and, therefore, its downfall, Hadjizenonos explains.

Walshaw says DDOS attacks can come in a variety of shapes and sizes. “However, the aim of a DDOS attack is always the same – to saturate a server with so many requests that it simply cannot cope, leaving legitimate users unable to connect.

“Attackers will sometimes use their own network of computers to launch DDOS attacks, but what is now more common is for them to use a network of PCs across the world that have been infected with malware that is capable of joining in a DDOS attack without the owner’s knowledge,” Walshaw explains.

Legitimate traffic

The results of a DDOS attack can be disastrous: loss of revenue-generating applications as well as reputational damage can negatively impact a business for years.

However, Walshaw notes: “There are ways a company can keep its applications, services and even its whole network online without stopping legitimate traffic.”

He believes a sophisticated firewall manager, application security manager and local traffic manager combined provide the protection needed to mitigate DDOS attacks, from blocking attack traffic to re-routing legitimate requests to ensure uptime.

Analysis is also key, says Walshaw, adding understanding who is attacking you, as well as how and why, can help prevent an attack from causing too much damage and protect against future attacks.

Establishing which layer is being attacked (application, network or session, for example) will help a company know where to focus its resources, and intelligent firewall management will be able to inspect all traffic coming into a network and stop traffic that is coming from a DDOS attack, he points out.

Fire drills

According to Neil Campbell, group GM for Dimension Data’s Security Business Unit, IT security ‘fire drills’, supported by executive management and the risk committee should be conducted regularly in organisations in order to understand the appropriate course of action in advance of a security breach.

He believes technologies and services focused on incident response – rather than only incident prevention – should be one of the trends high on the agendas of security professionals in 2015.

“It’s inevitable that security incidents will occur. It’s, therefore, critical that organisations begin to focus on identifying what we call ‘indicators of compromise’, putting a comprehensive incident response plan in place, and performing regular IT security ‘fire drills’,” explains Campbell.

He points out the regular fire drills – or rehearsals – will ensure that, in the event of an incident, IT and management teams are clear about what needs to be done, and the business is less at risk. This includes recovering evidence, identifying and resolving the root cause of the incident (not just the symptoms), and undertaking a forensic investigation.

Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=140563:DDOS-attacks-prepare-for-the-worst&catid=71

Whilst the trend for distributed denial of service (DDoS) attacks has been towards larger and larger (aka volumetric) attacks in recent years, a new report just published claims to show that slow-and-low, with smart, short IP bursts, is now a lot more commonplace.

For its third annual set of research, Neustar interviewed IT professionals from around 450 companies, concluding that business are now seeing a more unstable and complex landscape.

Over the last year, says the report, DDoS attacks have evolved in terms of their strategy and tactics, with IT professionals seeing increased media reports of ‘smokescreening’ – where criminals use DDoS attacks to distract IT staff while inserting malware to breach bank accounts and customer data.

More than half of attacked companies reported theft of funds, data or intellectual property. Such cyber-attacks are intense but shorter-lived, more surgical than sustained strikes whose goal is extended downtime.

More than 47 percent of respondents said they viewed DDoS attacks as a greater threat than in 2012, whilst another 44 percent believe the problem is just as serious. In 2013, DDoS continued to cripple websites, shut down operations and cost millions of dollars in downtime, customer service and brand damage.

According to Rodney Joffe, Neustar’s senior technologist, when there’s a tremendous storm, most people run around the house making sure all the windows are closed and you have a flashlight ready.

“You’re not worried about anything else. DDoS attacks are similar. They create an all-hands-on-deck mentality, which is understandable but sometimes dangerous,” he said, adding that with DDoS attacks, the stakes are high, as if you are a criminal, why mess around with extortion when you can just go ahead and steal-and on a much greater scale?

Neustar’s analysis also shows a trend towards shorter DDoS attacks, but also more attacks from 1Gbps to 5Gbps – that is, quicker, more concentrated strikes.

“While it’s too soon to say for sure, this could stem from a highly damaging tactic, DDoS smokescreening,” says the report, adding that smokescreening is used to distract IT staff whilst the criminals grab and clone private data to siphon off funds, intellectual property and more.

Solutions
One solution, concludes the report, is for organisations to install dedicated DDoS protection, as scrambling to find a solution in the midst of an emergency only adds to the chaos-and any intended diversion.According to Sarb Sembhi, a director of Storm Guidance, the report tracks some interesting trends.

“If you look at large companies suffering attacks, it is clear that the DDoS methodologies being used are getting very sophisticated,” he said, adding that a key aspect is that they are often relatively slow – but smart – in nature.
“With larger companies it is clear that the cyber-criminals are doing their research. They are clearly also testing their technology with smaller companies, and then using those companies’ IT systems as their own assets to launch other attacks,” he said.

Sembhi went on to say that his observations also suggest that larger companies are now starting to install layers of protection – as the report recommends – to remediate against a DDoS attack when it takes place.

Source : http://www.scmagazineuk.com/ddos-attacks-slow-and-smart-is-the-order-of-the-day/article/376283/

When two computers wish to communicate, they have to acknowledge that they are ready to communicate, and this process is sort of like talking to a friend by text messages. Say you want to talk to Billy: you send Billy a text message saying you want to talk. Billy gets this message from you, which is good, because he also knows that you-to-Billy communication works — this is sort of a big deal, because you and Billy live in a world where cell phone providers aren’t very reliable.

Billy now has to let you know that you got his message, and that Billy-to-you communication is works, so he replies with another text message, saying “Looks like I can get your messages, and I’m attending my phone now” You get this message, and everything looks cheery, so you send him a last text message saying “I can get yours too. Let’s start talking!” where you and Billy can now carry on a friendly chat.

This is how computers communicate with each other; it’s called handshaking, and it’s used to do two things: acknowledge the desire to communicate with each other, and to make sure the lines of communication are working well. It’s harder to prove the latter, because in the example above, Billy might not have gotten your last text message, and you’d never know, so it would be reassuring if he acknowledged if he got it by sending you another confirmation, before you start wasting a ton of money through sending him a bunch of text messages that he might not even get! Of course, then you’d have to confirm that you got his confirmation, and he’d have to confirm that confirmation, and so forth. As reassuring as it is, we can’t keep doing this indefinitely, and network engineers have had to come up with a solution to this problem, known as The Two Generals’ Problem. In the end, they settled on the protocol as mentioned above.

Now, say you want to chat with Billy, so you send him a text message to see if he’s there. He confirms that he’s there, but the text message gets dropped because of a bad cell phone tower. Now both of you are stuck at a stalemate; you’re waiting for his confirmation, and he’s waiting for yours. This is a bad situation! So, in order to avoid this, Billy tries to resend his reply after a certain amount of time, after not hearing from you, because he doesn’t know whether it’s your cell phone tower that’s bad, or his. And, after he still doesn’t get a reply from you, he gives up, and determines that the cell phone towers are conspiring against your friendship.

A Denial-of-Service takes advantage of this protocol, to allow you to, well, troll Billy. How it works is as concisely explained in the comic strip — you send Billy a message saying you want to talk, and he sends you a message back saying that he’s ready to talk, but you “pretend” like you never got his message, keeping him busy for a few minutes until he gives up. Then you poke him again, saying you want to talk again, and pretending like you just can’t hear him, and he’ll always put in a full effort to try to start a conversation with you. This causes Billy a lot of aggravation, especially if you get a lot of people to do this to Billy! Eventually, he won’t be able to keep sending all these confirmations to all the people that he thinks genuinely want to talk to him, and he spends every waking minute replying to these phony text messages, leaving him no time to start conversations with people who actually want to talk to him. Thus, you’re denying anyone who wants to actually talk to Billy the service of Billy’s conversation.

Miscellaneous Facts: The “text messages” that computers send to each other are called packets. It’s exactly like what it sounds like — a small parcel of information, wrapped nicely with a stamped address, date, return address, and all the good stuff.

The initial packet in the handshaking protocol is called a SYN packet, short for synchronize. The receiving computer sends back an ACK packet, short for acknowledge, as well as another SYN packet. The original conversation-starter replies to the SYN packet with a final ACK, and then conversation can begin. The computer who sends both the SYN and the ACK at the same time sends a combined packet, usually referred to as SYN/ACK. This makes the protocol a three-packet protocol: SYN, SYN/ACK, then lastly, ACK.

Source: http://pbjbreaktime.com/2011/01/what-is-ddos-denial-of-service-attack-explained-in-laymens-terms/

http://www.reddit.com/user/ProggitExplainer

South Korean police arrested a man from Seoul last week, on suspicion of working with North Korea to develop games infected with spyware.

According to a news report in the Korea JoongAng Daily, the 39-year-old game distributor was arrested on June 3 and charged with violating the National Security Law.

The law is North Korea-specific. Passed as the National Security Act in 1948, it outlawed:

communism;
recognition of North Korea as a political entity;
organizations advocating the overthrow of the government;
the printing, distributing, and ownership of “anti-government” material;
and any failure to report such violations by others.

The man was identified only by his family name, which news outlets render as either Cho or Jo.

Police claim that Cho met with North Korean spies who had set up a hacking base disguised as a trading firm in the Northeastern Chinese city of Shenyang.

The North Korean spies were allegedly associated with the country’s Reconnaissance General Bureau.

According to the Federation of American Scientists, this department ferrets out strategic, operational, and tactical intelligence for the Ministry of the People’s Armed Forces and plants spies in South Korea, either via boat or though tunnels under the demilitarized zone.

The Seoul Metropolitan Police said that Cho paid the spies tens of millions of won to develop the illegal game software.

Ten million won is equal to US $8520 or £5514.

The police allege that Cho turned to the reconnaissance unit to develop the games at this cheap price and knew they were infected.

According to Geek.com, the cost of the infected games was about one-third of a typical price.

Cho is also accused of setting up a server in South Korea that the North Koreans used in attempts to launch DDoS attacks at South Korean networks.

According to Geek.com, one such recent DDoS attack was launched against South Korea’s Incheon International Airport. Airport departures were disrupted multiple times in the spring of 2011 as a result.

The attack used a botnet of zombified computers that had been infected after their owners downloaded the Trojans by playing the poisoned games.

Beyond turning players’ computers into zombies, authorities also believe that Cho may have passed along personal information about more than 100,000 registered users to the North Koreans.

The police said Cho retained the personal information of hundreds of thousands of South Koreans, having collected the data from major portals.

This isn’t the first time North Korea has been implicated in cyberwarfare against South Korea.

There have long been claims that North Korea is operating a cyberwarfare unit (presumably being countered by the one alleged to exist in South Korea), and in 2008 it was reported that South Korea’s military command and control centre were the target of a spyware attack from North Korea’s electronic warfare division.

The sexy female seductress at the centre of that case, who was accused of seducing army officers in exchange for military secrets, was subsequently jailed for five years.

In 2009, a massive DDoS attack crippled 26 South Korean and foreign governmental websites, including military sites.

This spring, between April 28 and May 13, North Korea’s Reconnaissance General Bureau also managed to devastate GPS signals throughout the Korean peninsula.

The Reconnaissance General Bureau’s cultivation of cyber warriors is now at such an advanced state, in fact, that a South Korean expert recently claimed that North Korea’s abilities to wage a devastating cyber war are behind only those of the US and Russia.

Source: http://nakedsecurity.sophos.com/2012/06/11/north-korea-uses-infected-games-to-ddos-south-korea/

Researchers at network security vendor Arbor Networks are warning of an increasingly strengthening tool being used by cybercriminals to conduct powerful distributed denial-of-service attacks (DDoS).

The tool, called MP-DDoser or IP-Killer, was first detected in December 2011 and, according to Jeff Edwards, a research analyst at Chemlsford, Mass.-based Arbor Networks Inc., the tool’s authors are making progress in eliminating flaws and adding improvements.   The active development is boosting the tool’s attack capabilities and advancing its encryption algorithm to protect its botnet communications mechanism. Arbor released a report analyzing MP-DDoser’s (.pdf) capabilities and improvements.

“The key management is quite good, and the buggy DDoS attacks are not only fixed, but now include at least one technique … that may be considered reasonably cutting edge,” wrote Edwards, a member of Arbor’s security engineering and response team, in a blog entry Thursday.

Edwards said the “Apache Killer” technique, which can be deployed by the tool, is designed to flood requests to Apache Web servers, overwhelming the memory and ultimately causing it to crash. The technique is considered low-bandwidth, making it difficult to filter out the bad requests. A less successful form of the attack was used by a previous botnet, Edwards said, but the MP-DDoser authors appear to have incorporated it with some improvements.

“A review of the [IP-Killer] bot’s assembly code indicates that it does indeed appear to be a fully functional, working implementation of the Apache Killer attack,” Edwards wrote. “It is therefore one of the more effective low-bandwidth, ‘asymmetrical’ HTTP attacks at the moment.”

Asymmetric DDoS attacks typically use less-powerful packets to consume resources or alter network components, according to the United States Computer Emergency Readiness Team (US-CERT). Attacks are meant to overwhelm the CPU and system memory of a network device, according to US-CERT.

The steady increase and easily obtainable automated DDoS attack tools have put the attack technique in the hands of less-savvy cybercriminals. Arbor Networks’ Worldwide Infrastructure Report 2012 detailed a steady increase in powerful attacks over the last five years. The report, which surveyed 114 service providers, found that lower-bandwidth sophisticated attacks like MP-DDoser are becoming alarming.

MP-DDoser, IP-Killer botnet communications improvements
The MP-DDoser botnet does not spread spam or malware, making it more effective at conducting DDoS campaigns, according to Edwards.

The authors of MP-DDoser are also employing encryption and key management as part of network communications, Edwards said. Encrypting communications is becoming more common in malware to make it more difficult for investigators to trace the transmissions between the bot and the command-and-control server. Edwards called the MP-DDoser author’s use of encryption a “home brew” algorithm, making decryption even more difficult for researchers.

“All in all, MP-DDoser uses some of the better key management we have seen. But of course, at the end of the day, every bot has to contain – or be able to generate – its own key string in order to communicate with its C&C, so no matter how many layers of encryption our adversary piles on, they can always be peeled off one by one,” Edwards wrote.

Source: http://searchsecurity.techtarget.com/news/2240153127/Arbor-Networks-warns-of-IP-Killer-MP-DDoser-DDoS-tool