Blocking DDoS Archive

When two computers wish to communicate, they have to acknowledge that they are ready to communicate, and this process is sort of like talking to a friend by text messages. Say you want to talk to Billy: you send Billy a text message saying you want to talk. Billy gets this message from you, which is good, because he also knows that you-to-Billy communication works — this is sort of a big deal, because you and Billy live in a world where cell phone providers aren’t very reliable.

Billy now has to let you know that you got his message, and that Billy-to-you communication is works, so he replies with another text message, saying “Looks like I can get your messages, and I’m attending my phone now” You get this message, and everything looks cheery, so you send him a last text message saying “I can get yours too. Let’s start talking!” where you and Billy can now carry on a friendly chat.

This is how computers communicate with each other; it’s called handshaking, and it’s used to do two things: acknowledge the desire to communicate with each other, and to make sure the lines of communication are working well. It’s harder to prove the latter, because in the example above, Billy might not have gotten your last text message, and you’d never know, so it would be reassuring if he acknowledged if he got it by sending you another confirmation, before you start wasting a ton of money through sending him a bunch of text messages that he might not even get! Of course, then you’d have to confirm that you got his confirmation, and he’d have to confirm that confirmation, and so forth. As reassuring as it is, we can’t keep doing this indefinitely, and network engineers have had to come up with a solution to this problem, known as The Two Generals’ Problem. In the end, they settled on the protocol as mentioned above.

Now, say you want to chat with Billy, so you send him a text message to see if he’s there. He confirms that he’s there, but the text message gets dropped because of a bad cell phone tower. Now both of you are stuck at a stalemate; you’re waiting for his confirmation, and he’s waiting for yours. This is a bad situation! So, in order to avoid this, Billy tries to resend his reply after a certain amount of time, after not hearing from you, because he doesn’t know whether it’s your cell phone tower that’s bad, or his. And, after he still doesn’t get a reply from you, he gives up, and determines that the cell phone towers are conspiring against your friendship.

A Denial-of-Service takes advantage of this protocol, to allow you to, well, troll Billy. How it works is as concisely explained in the comic strip — you send Billy a message saying you want to talk, and he sends you a message back saying that he’s ready to talk, but you “pretend” like you never got his message, keeping him busy for a few minutes until he gives up. Then you poke him again, saying you want to talk again, and pretending like you just can’t hear him, and he’ll always put in a full effort to try to start a conversation with you. This causes Billy a lot of aggravation, especially if you get a lot of people to do this to Billy! Eventually, he won’t be able to keep sending all these confirmations to all the people that he thinks genuinely want to talk to him, and he spends every waking minute replying to these phony text messages, leaving him no time to start conversations with people who actually want to talk to him. Thus, you’re denying anyone who wants to actually talk to Billy the service of Billy’s conversation.

Miscellaneous Facts: The “text messages” that computers send to each other are called packets. It’s exactly like what it sounds like — a small parcel of information, wrapped nicely with a stamped address, date, return address, and all the good stuff.

The initial packet in the handshaking protocol is called a SYN packet, short for synchronize. The receiving computer sends back an ACK packet, short for acknowledge, as well as another SYN packet. The original conversation-starter replies to the SYN packet with a final ACK, and then conversation can begin. The computer who sends both the SYN and the ACK at the same time sends a combined packet, usually referred to as SYN/ACK. This makes the protocol a three-packet protocol: SYN, SYN/ACK, then lastly, ACK.

Source: http://pbjbreaktime.com/2011/01/what-is-ddos-denial-of-service-attack-explained-in-laymens-terms/

http://www.reddit.com/user/ProggitExplainer

South Korean police arrested a man from Seoul last week, on suspicion of working with North Korea to develop games infected with spyware.

According to a news report in the Korea JoongAng Daily, the 39-year-old game distributor was arrested on June 3 and charged with violating the National Security Law.

The law is North Korea-specific. Passed as the National Security Act in 1948, it outlawed:

communism;
recognition of North Korea as a political entity;
organizations advocating the overthrow of the government;
the printing, distributing, and ownership of “anti-government” material;
and any failure to report such violations by others.

The man was identified only by his family name, which news outlets render as either Cho or Jo.

Police claim that Cho met with North Korean spies who had set up a hacking base disguised as a trading firm in the Northeastern Chinese city of Shenyang.

The North Korean spies were allegedly associated with the country’s Reconnaissance General Bureau.

According to the Federation of American Scientists, this department ferrets out strategic, operational, and tactical intelligence for the Ministry of the People’s Armed Forces and plants spies in South Korea, either via boat or though tunnels under the demilitarized zone.

The Seoul Metropolitan Police said that Cho paid the spies tens of millions of won to develop the illegal game software.

Ten million won is equal to US $8520 or £5514.

The police allege that Cho turned to the reconnaissance unit to develop the games at this cheap price and knew they were infected.

According to Geek.com, the cost of the infected games was about one-third of a typical price.

Cho is also accused of setting up a server in South Korea that the North Koreans used in attempts to launch DDoS attacks at South Korean networks.

According to Geek.com, one such recent DDoS attack was launched against South Korea’s Incheon International Airport. Airport departures were disrupted multiple times in the spring of 2011 as a result.

The attack used a botnet of zombified computers that had been infected after their owners downloaded the Trojans by playing the poisoned games.

Beyond turning players’ computers into zombies, authorities also believe that Cho may have passed along personal information about more than 100,000 registered users to the North Koreans.

The police said Cho retained the personal information of hundreds of thousands of South Koreans, having collected the data from major portals.

This isn’t the first time North Korea has been implicated in cyberwarfare against South Korea.

There have long been claims that North Korea is operating a cyberwarfare unit (presumably being countered by the one alleged to exist in South Korea), and in 2008 it was reported that South Korea’s military command and control centre were the target of a spyware attack from North Korea’s electronic warfare division.

The sexy female seductress at the centre of that case, who was accused of seducing army officers in exchange for military secrets, was subsequently jailed for five years.

In 2009, a massive DDoS attack crippled 26 South Korean and foreign governmental websites, including military sites.

This spring, between April 28 and May 13, North Korea’s Reconnaissance General Bureau also managed to devastate GPS signals throughout the Korean peninsula.

The Reconnaissance General Bureau’s cultivation of cyber warriors is now at such an advanced state, in fact, that a South Korean expert recently claimed that North Korea’s abilities to wage a devastating cyber war are behind only those of the US and Russia.

Source: http://nakedsecurity.sophos.com/2012/06/11/north-korea-uses-infected-games-to-ddos-south-korea/

Researchers at network security vendor Arbor Networks are warning of an increasingly strengthening tool being used by cybercriminals to conduct powerful distributed denial-of-service attacks (DDoS).

The tool, called MP-DDoser or IP-Killer, was first detected in December 2011 and, according to Jeff Edwards, a research analyst at Chemlsford, Mass.-based Arbor Networks Inc., the tool’s authors are making progress in eliminating flaws and adding improvements.   The active development is boosting the tool’s attack capabilities and advancing its encryption algorithm to protect its botnet communications mechanism. Arbor released a report analyzing MP-DDoser’s (.pdf) capabilities and improvements.

“The key management is quite good, and the buggy DDoS attacks are not only fixed, but now include at least one technique … that may be considered reasonably cutting edge,” wrote Edwards, a member of Arbor’s security engineering and response team, in a blog entry Thursday.

Edwards said the “Apache Killer” technique, which can be deployed by the tool, is designed to flood requests to Apache Web servers, overwhelming the memory and ultimately causing it to crash. The technique is considered low-bandwidth, making it difficult to filter out the bad requests. A less successful form of the attack was used by a previous botnet, Edwards said, but the MP-DDoser authors appear to have incorporated it with some improvements.

“A review of the [IP-Killer] bot’s assembly code indicates that it does indeed appear to be a fully functional, working implementation of the Apache Killer attack,” Edwards wrote. “It is therefore one of the more effective low-bandwidth, ‘asymmetrical’ HTTP attacks at the moment.”

Asymmetric DDoS attacks typically use less-powerful packets to consume resources or alter network components, according to the United States Computer Emergency Readiness Team (US-CERT). Attacks are meant to overwhelm the CPU and system memory of a network device, according to US-CERT.

The steady increase and easily obtainable automated DDoS attack tools have put the attack technique in the hands of less-savvy cybercriminals. Arbor Networks’ Worldwide Infrastructure Report 2012 detailed a steady increase in powerful attacks over the last five years. The report, which surveyed 114 service providers, found that lower-bandwidth sophisticated attacks like MP-DDoser are becoming alarming.

MP-DDoser, IP-Killer botnet communications improvements
The MP-DDoser botnet does not spread spam or malware, making it more effective at conducting DDoS campaigns, according to Edwards.

The authors of MP-DDoser are also employing encryption and key management as part of network communications, Edwards said. Encrypting communications is becoming more common in malware to make it more difficult for investigators to trace the transmissions between the bot and the command-and-control server. Edwards called the MP-DDoser author’s use of encryption a “home brew” algorithm, making decryption even more difficult for researchers.

“All in all, MP-DDoser uses some of the better key management we have seen. But of course, at the end of the day, every bot has to contain – or be able to generate – its own key string in order to communicate with its C&C, so no matter how many layers of encryption our adversary piles on, they can always be peeled off one by one,” Edwards wrote.

Source: http://searchsecurity.techtarget.com/news/2240153127/Arbor-Networks-warns-of-IP-Killer-MP-DDoser-DDoS-tool

The San Diego County Registrar of Voters’ website went out of service on election night because a firewall recognized an attempt to attack the site, officials said today, adding that an investigation was being conducted.

Sdvote.com went down soon after initial results were posted after 8 p.m. Tuesday, and the site remained inoperative for about two hours. Access to the site was also spotty after midnight.

Residents and local politicos use the site to track results. The county also uses its information technology to send a direct feed of results to news media, but that feed was not interrupted.

According to a county statement, sdvote.com began receiving well over 1 million hits per minute from a single Internet protocol address around 8:15 p.m., so a firewall that recognized suspicious activity shut down outside access to county websites.

Investigators said they believe the “denial of service” attack was launched against the site to prevent legitimate users from obtaining information.

It was unknown if the attack was meant to disrupt the election itself, according to the county.

IT vendor Hewlett Packard ruled out any hardware or software issues, and there was plenty of capacity for the number of users who tried to use sdvote.com, according to the county.

County officials said they were working with a security team and Hewlett Packard to find who or what was responsible for the attack, and reviewing ways to keep such an event from taking down the site in the future.

Source: http://www.kpbs.org/news/2012/jun/07/county-says-its-voting-results-website-was-hacked-/

Last year there was an odd incident in South Korea, where a widely distributed computer game appeared to be infected with malware (software that secretly uses the PC it is on for criminal activity, including stealing valuable data from the PC it is on). What caught the attention of South Korean military intelligence was the fact that the malware was hidden in every copy of this game and, at one point, many of the 100,000 infected PCs tried to shut down the air traffic control system at a major South Korean airport.

Further investigation revealed that the airport attack was part of a growing Cyber War campaign by North Korea against government and military web sites in South Korea. One of the most disruptive North Korean Cyber War weapons was DDOS (distributed denial of service) attacks. These are carried out by first using a computer virus (often delivered as an email attachment or, in this case, via a game), that installs a secret a Trojan horse type program, that allows someone else to take over that computer remotely, and turn it into a “zombie” for spamming, stealing, monitoring or DDOS attacks to shut down another site. There are millions of zombie PCs out there, and these can be rented, either form spamming or lunching DDOS attacks. Anyone with about $100,000 in cash, including North Korea, could carry out attacks. You can equip a web site to resist, or even brush off, a DDOS attack, and some of those attacked ware prepared. But others were not. The South Korea airport was disrupted for several hours.

Last year was the third time since 2009 that someone, apparently North Korea, has launched DDOS attacks, and attempted to hack into South Korean networks. But part of this latest DDOS effort was carried out by a North Korean botnet of zombie PCs obtained by selling the malware infected games. Further investigation found that the South Korean creator of the games had been financed by North Korea agents, who provided the malware payload. These games were made available for sale on South Korean web sites. Police are still inspecting the malware, which may have been stealing data from infected PCs, in addition to be part of a botnet of PCs used for DDOS attacks.

Source: http://www.strategypage.com/htmw/htiw/articles/20120607.aspx