DDoS Attack Specialist Archive

The news stories surrounding hacktivist groups like Anonymous might lead business professionals to think that cyber criminals focus their efforts on government agencies and multinational corporations, skipping smaller companies that receive minimal to no press.

Midsize businesses, however, are just as vulnerable to the ever-popular Distributed Denial of Service (DDoS) attacks hackers use to suspend the services associated with a particular target. Attackers don’t just DDoS targets as a way of voicing political or ideological opinions; dishonest business owners can employ the services of a third-party to cause harm to competitors via digital means.

According to a new report from HostExploit, a community organization that tracks cyber criminals who exploit hosts to deliver crimeware, hackers are using open Domain Name System (DNS) resolvers to launch DDoS attacks against their targets.

DNS servers are responsible for converting hostnames, or domain names, into Internet Protocol (IP) addresses. A DNS resolver searches through one or more name servers to locate the information needed to resolve a client’s request.
Hackers are using misconfigured resolvers, claim the authors of the latest edition of HostExploit’s World Hosts Report, to power a DDoS. According to the report, “an attacker can send rogue DNS requests to a large number of open DNS resolvers and use spoofing to make it appear as if those requests originated from the target’s IP address.” The resolver then responds to the victim’s IP, rather than sending the information to the IP address that submitted the original queries.

DDoS through DNS isn’t new–experts have been discussing it as a method of attack for a decade–but Neal Quinn, chief operating officer of Prolexic, told NetworkWorld, “We have seen [DDoS amplification] recently, and we see it increasing.”

DDoS attacks can have at least a moderate financial impact on a business, depending on how long the organization is affected. Outages can lead to increased operational costs–as loss of service must be addressed on top of other critical tasks–and lead to lost clients or customer refunds, harming revenue as a result. These attacks can also have a longer-lasting impact on a company’s reputation.

DDoS attacks are some of the most difficult to prevent, and common IT solutions–such as over-provisioning, in which an business provisions for several times the expected level of traffic during normal operation–won’t be as effective against efforts amplified using DNS resolvers. Even an Intrusion Detection System (IDS) won’t help as these devices tend to disregard valid packets.

IT departments can rely on a third-party DDoS solution designed specifically to detect and mitigate attacks. Midsize businesses, however, should weigh the risks against the return on investment before subscribing to such services.

Source: http://midsizeinsider.com/en-us/article/hackers-use-dns-resolvers-to-distribute

In the wake of recent distributed denial of service attacks against banks, most institutions are missing a prime opportunity to educate their customers about security, says Gregory Nowak of the Information Security Forum.

“They seem to be regarding [DDoS attacks] as a secret,” says Nowak, a principal research analyst with the ISF.

HSBC Holdings, BB&T Corp. and Capital One are the most recent victims of DDoS attacks. These incidents have spanned five weeks and targeted 10 U.S. banking institutions, including Bank of America, Chase Bank, Wells Fargo, PNC Bank, U.S. Bancorp, SunTrust and Regions Bank. All the attacks are believed to be connected to the hacktivist group Izz ad-Din al-Qassam, which has taken credit on the public online forum Pastebin.

Izz ad-din al-Qassam said it would continue to target U.S. institutions until a YouTube movie trailer believed by the group to be anti-Islamic is removed from the Internet.

After the initial wave of attacks, Nowak went through the affected banks’ websites and couldn’t find any relevant information about what happened, how customers can understand it, as well as the reassurance that their information is safe.

“[Banks} should be taking the opportunity to explain to their customers the difference between denial of service attacks and some sort of hacking attack that actually puts information at risk, because their customers are worried and they don’t need to be,” Nowak says in an interview with Information Security Media Group’s Tom Field [transcript below].

Outlining how organizations should respond to this new wave of hacktivist attacks, Nowak discusses:

Why these DDoS attacks are successful;
Flaws in institutions’ prevention and response plans;
How to properly manage the risks of hacktivism.

Also, don’t miss Nowak’s new webinar on hacktivist attacks: Hacktivism: How to Respond.

Nowak is a principal research analyst for the Information Security Forum, an independent authority on information security. He has worked on ISF research projects on hacktivism, cybercitizenship and securing mobile devices. He also is responsible for ISF’s Information Risk Analysis Methodology (IRAM).

TOM FIELD: For the people out there who aren’t familiar with the Information Security Forum, tell us a little bit about your role with the forum and the work that you folks are doing.

GREG NOWAK: The Information Security Forum is a not-for-profit membership organization with members at the organization level. We have both public and private-sector members and we provide research, tools and methodologies for information security, broadly understood both technical and operational, involving information systems as well as personnel.
Recent Bank Attacks

FIELD: A huge topic for the past week or so has been the series of distributed denial of service attacks against U.S. financial institutions. What are your observations on the attacks that we witnessed against the banks?

NOWAK: I think the first thing to notice is that these are sort of innocent by-stander attacks that have nothing to do with the activities of the bank. They’re motivated generally because the banks are seen as representatives of the United States, and we forget that when we think back to 9/11, the stated reasons for the attacks of 9/11 were actions of the U.S. government, but the stated reasons for the choice of targets was because the U.S. financial system represented America and the World Trade Center was chosen as a target. In the same sense, outside of the United States the distinction between public and private is blurred, and banks and financial institutions are seen as primary representatives of the American economy, the American way of life, and so they’re chosen as targets.
Communication Strategies

FIELD: What’s important for organizations to communicate to people that are hearing of these attacks through the media? And I ask that because I see that these have become very hot topics in the popular media, and everybody’s hearing about them and talking about them. Information about the attacks has been a little bit scant.

NOWAK: I have really been amazed at the nature of media coverage. For example, you referred to DDoS attacks. Everybody understands in the information security business that this is a distributed denial of service attack, and we know what that means. If you look at the mainstream media, they don’t use that term because they figure that most people don’t understand that so they refer to them as cyberattacks. That gets reinterpreted and when they talk about the actors, the actors are referred to as hackers or hacktivists, and then when the stories get quoted you hear stories like, “Major U.S. banks are hacked and your information may be at risk.” I find it surprising because somehow this notion that personal information has been put at risk by these attacks is being created in online discussions when that’s not part of the initial reporting.

The banks that have been affected are missing a great opportunity to communicate and educate their users. I tried visiting the sites, and there’s nothing on any of the bank sites that says, “Here’s what’s going on. Here’s how you can understand it. Your information is safe.” Sitedown.co has provided some up-to-date information about which sites are available, but the banks themselves are not doing a good job of communicating. They seem to be regarding it as a secret. They’re saying some people have access issues. People know they have access issues. They should be taking the opportunity to explain to their customers the difference between denial-of-service attacks and some sort of hacking attack that actually puts information at risk, because their customers are worried and they don’t need to be.

FIELD: Up to this point, only financial institutions seem to have been targeted, but we would be foolish to think that they would be the only targets. What would you say is the message to non-banking organizations that are watching this activity?

NOWAK: First of all, they should notice that the attacks have nothing to do specifically with activities to these banks. They were just chosen as representatives. They’re innocent bystanders in the whole story, and yet suddenly they have to deal with this situation that has taken them by surprise. I think the message is this can happen to any organization and they need to consider it as part of their risk management.
Defending against DDoS

FIELD: We’ve known about distributed denial-of-service attacks for years now. We know how to prevent them and how to protect against them. Why are these DDoS attacks so successful against these financial institutions?

NOWAK: First of all, there’s a matter of leverage. You can now rent botnets to conduct an attack, so it’s a low investment of financial resources, and it doesn’t take such a large number of individuals to coordinate this. If the initial money is available to rent the botnet and obtain the code, then almost anyone with the necessary amount of money can launch an attack. Someone who feels motivated to make some sort of public statement can do so easily on a large scale and take advantage of the reaction to the DDoS attacks to spread their message. People are gravitating towards these attacks because for a relatively small financial investment and investment of time, they can have a disproportionately large effect and get a lot of media attention.

FIELD: But shouldn’t an organization the size of a Chase Bank, PNC or U.S. Bank have the redundancy and the resources that their sites wouldn’t even be affected by this?

NOWAK: They should, and I’m surprised they don’t. One of the messages that I want to spread about this is that people should notice that the geographical distribution of legitimate clients online is different from the geographical distribution and therefore the IP-space distribution of malicious web traffic directed towards these sites. I think if banks and other organizations consider that a little more investment in intelligent routing and segmenting incoming traffic geographically and by IP sub-spaces was taken proactively, then they would be much less affected by these sorts of attacks because only the front-ends are devoted to certain subspaces of the IP space would be overloaded and they would have more capacity for the geography and the IP sub-net identified with most of their customers. And I don’t see that happening. I haven’t seen much discussion of it going on. People talk about adding capacity but I don’t see much use of intelligent routing to decrease the effects of botnet attacks.
Hacktivism

FIELD: Is it fair to say from what we know that this is hacktivist activity that we’re seeing?

NOWAK: It’s definitely fair to say that, but my advice is always to not pay too much attention to the motivations of the attacks unless it helps you mount particular countermeasures. And in this case, we know the story leading up to these attacks and the banks, and there’s no way this could be foreseen. Even understanding the motivation of the attackers really doesn’t lead to any changes in the source of countermeasures you’d take for the proactive risk mitigation you’d want to put in place. I would advise people not to spend too much time thinking about the reasons for the attacks, but just thinking generically what they should be doing to prevent these kinds of attacks.

FIELD: If I could ask you this, what benefit do the hacktivist groups gain from attacks such as these? As you say, there’s not a breach involved. Information isn’t being taken as near as we can tell. It’s mischief.

NOWAK: It’s mischief, but also it’s in defense of an ideology, and people will do strange things and devote a lot of effort in defense of their ideologies, and they feel according to their own system of values that they have accomplished something by making a large public statement, again with a relatively small investment of money and time to advance their idea. And whether or not they achieve their end goal and change the world in the way they want to change or have a video removed from the Internet is less relevant than the fact that they see themselves as having accomplished something for spreading the message and making the attempt.
Proper Response

FIELD: We’ve talked about the poor response we’ve seen from organizations. From your perspective, for institutions that have been attacked, what would be the proper response?

NOWAK: First of all, they need to consider this as a significant risk to address in their risk management program. If someone told a retail business that a significant percentage of their physical locations would be blocked and customers who were trying to get access to these locations would not be able to enter the bank or other businesses for an entire day and this would be happening in multiple locations, they would regard that as a critical issue with an immediate response from the top levels of the organization. I’m surprised that the same level of urgency and seriousness of response isn’t occurring for these online attacks that just get as much media attention without as much messaging coming out of the organizations that say here’s what’s going on, here’s what we’re doing about it, your information is not at risk and this is just a traffic jam on the Internet. I think part of the problem is this word cyberattack, which is so vague and suggests that there’s hacking when in fact a more appropriate term in common language would be a traffic jam or slow down, something that communicates the idea that traffic’s being stopped but information itself is not being put at risk.
Preparation Tips

FIELD: For organizations that have not yet been attacked, what’s the proper preparation?

NOWAK: First of all, the Information Security Forum in it’s recent paper on hacktivism has advised our members to conduct simulation to identify what lines of communication the organization would use, to identify spokespeople and make sure there’s a proactive plan to address the media. They should also use all available lines of communication and explain what’s going on. There’s very little information coming out of the banks that have experienced these attacks. I’ve looked at some websites and they have their normal promotional materials there. They don’t have any banner headlines for more information about what has been going on lately, to “please read this.” That’s a missed opportunity for them. Communicating out to the public is important.

Also as I said there are technical measures that could be used and they do take some time and some investment to implement, but I think that it’s a worthwhile measure to take to mitigate the risk of a denial-of-service attack preventing access to the website. This is not something that people should wait for. They can take proactive measures. They shouldn’t look at it as something that they have no defenses against, and they should also make sure that they do have messaging in place and they’re prepared to communicate with the public and the media in advance so if it does happen to them, they’re not looking like they’re unprepared, which is the impression we now get from a lot of the responses we’ve seen.

FIELD: We’ve talked a good deal about external communication. How about internal? What do boards of directors and senior business leaders need to be hearing from their security leaders now?

NOWAK: The good news is that security departments are being taken more seriously and getting a seat at the table more often with the senior leadership, but I think the issue of denial-of-service attacks in particular is not high enough on the agenda. As I said earlier, if they were asked to consider what the level of criticality would be if a large percentage of physical locations for the business were blocked and customers couldn’t get access, they’d start to see how serious a problem this was and that it’s worth doing some proactive investing to mitigate the risk. And if the security folks can come forward and say, ‘Here are the things we need to do technically that will help us mitigate the risk, here is the kind of preparedness we need to have for messaging, here is how we need to cooperate with our legal department and our public relations department so we have something to say in the event this happens,” I think they will respond to this plan because my impression is that not much is happening because people have the general impression that there isn’t much that can be done. I think that with an organized plan that addresses both technical and communications issues, senior leadership could say, “Yes, this is worth investing in. We don’t want to be caught unprepared for this sort of thing.”

FIELD: We’re talking about banking institutions today. We could easily be talking about government organizations, healthcare organizations or universities tomorrow. For any organization concerned that it could be a target next, how would you boil down your advice to them?

NOWAK: It’s possible to be prepared. You should be prepared. You can’t tell when it’s going to happen, so you might as well start getting prepared now. Investigate technical measures that can reduce the risk. Know where your customer base is because it’s likely much more concentrated then the geographical and IP base of your attackers. You can defend against it. Prepare with your public relations and communications department to have messaging ready so if this happens to you, you can communicate clearly to the public and let them know what’s going on and what the actual risks are, because most members of the public think that their information is at risk just from DDoS attacks when in most cases it’s not.

Source: http://www.bankinfosecurity.com/ddos-attacks-what-to-tell-customers-a-5227/p-4

HSBC has restored its online banking services after a distributed denial of service (DDoS) attack.

HSBC said servers had come under a DDoS attack which affected HSBC websites around the world.

The DDoS attack on HSBC did not affect any customer data, but did prevent customers using HSBC online services, including internet banking.

“We are cooperating with the relevant authorities and will cooperate with other organisations that have been similarly affected by such criminal acts,” HSBC said.

In May, internet security firm Check Point said a survey of 2,500 IT professionals worldwide found DDoS attacks comprised one of the top risks to their networks.

Check Point said organisations need to be able to collaborate and share intelligence on emerging threats, so the severity of attacks can be mitigated or even blocked.

In April, a study revealed financial services firms were targeted by three times as many DDoS attacks in the first quarter of 2012 than in the previous three months.

This represented a 25% increase compared with the same period in 2011, according to the Q1 Global DDoS Attack Report from security firm Prolexic Technologies.

A report form the Ponemon Institute found DDoS attacks were among the most costly cyber attacks on UK organisations alongside those caused by malicious insiders and malicious code, according to the 2012 Cost of Cyber Crime study by the Ponemon Institute.

UK and Australian organisations were also found to be the most likely to experience DoS attacks, while  German companies were the least likely target.

Attackers commonly use DoS to blackmail large organisations that depend on online availability to conduct business.

In July, Chinese and Hong Kong Police arrested blackmailers threatening commodities and securities traders with DDoS attacks.

The gang had demanded £3,000 to £10,000 from 16 Hong Kong-based firms and threatened to cripple their online operations with DDoS attacks if they did not pay.

Source: http://www.computerweekly.com/news/2240167901/HSBC-back-online-after-DDoS-attack

Over the past two weeks, the websites of multiple financial institutions–including Bank of America, JPMorgan Chase, PNC, U.S. Bank, and Wells Fargo–have been targeted by attackers, leading to their websites being disrupted. Furthermore, some banks appear to still be suffering related outages.

That’s led more than 1,000 customers of those institutions to file related complaints with Site Down, a website that tracks outages. Customers have reported being unable to their access checking, savings, and mortgage accounts, as well as bill-paying and other services, via the affected banks’ websites and mobile applications.

Many of the banks’ customers have also criticized their financial institutions for not clearly detailing what was happening, or what the banks were doing about it. “It was probably the least impressive corporate presentation of bad news I’ve ever seen,” Paul Downs, a small-business owner in Bridgeport, Pa., told The New York Times, where he’s also a small-business blogger.

A hacktivist group calling itself the Cyber fighters of Izz ad-din Al qassam has taken credit for the attacks, which it’s dubbed Operation Ababil, meaning “swarm” in Arabic. It said the attacks are meant to disrupt U.S. banking operations in retaliation for the release of the Innocence of Muslims film that mocks the founder of Islam.

Some of the attacked banks’ websites still appear to be experiencing outages, but Dan Holden, director of security for the Arbor Security Engineering and Response Team, said he’s seen no signs that any active attacks are currently underway. “Obviously, we’re only one day into the week, but we didn’t see anything yesterday, and while [the Cyber fighters of Izz ad-din Al qassam] said in the previous post that they’d be working over the weekend, there haven’t been any new posts stating that they’d be doing new attacks,” he said.

Tuesday, however, multiple Wells Fargo customers were still reporting that they were having trouble accessing the bank’s website, or getting it to respond after they’d logged in. “Day 8, still can’t get in with Safari or Firefox … getting old. I have a business to run here,” said an anonymous poster to Site Down. “This is getting old,” said another.

Asked to comment on reports that the bank’s website was continuing to experience outages, a spokeswoman for Wells Fargo repeated a statement released last week, saying via email that “customers can access their accounts through the online and mobile channels.”

Multiple Bank of America customers Tuesday also reported problems with the bank’s website, with some people saying they’d been experiencing disruptions for 10 days or more. “I agree … with all the other comments about this problem of being unable to go on line. What in the world is going on–get it fixed!” said an anonymous user Sunday on the Site Down website. But Bank of America spokesman Mark T. Pipitone said via email that the bank’s website has been working normally since last Tuesday, and suggested that the scale of any reported website problems was within normal parameters. “We service 30 million online banking customers,” he said. “Our online banking services have been, and continue to be, fully functional.”

Given attackers’ advance warning that they planned to take down the banking websites–which suggested that they’d launch distributed denial-of-service (DDoS) attacks, why didn’t banks simply block the attacks? As one PNC customer said in an online forum, “Come on PNC! Never heard of content delivery networks to make these attacks more difficult?? … Please invest in a more capable network security team and take care of your customers!”

But Arbor’s Holden, speaking by phone, said that the attackers had used multiple DDoS tools and attack types–including TCP/IP flood, UDP flood, as well as HTTP and HTTPS application attacks–together with servers sporting “massive bandwidth capacity.” So while the attacks weren’t sophisticated, they succeeded by blending variety and scale.

Given the massive bandwidth used in the attacks, were they really launched by hacktivists, which is what the attackers have claimed they are? Former U.S. government officials, speaking anonymously to various media outlets, have instead directly accused Iran of launching the attacks. Regardless of whether Iran is involved, Holden said that the bank attacks don’t resemble previously seen hacktivist attacks, which typically involved botnets of endpoint-infected PCs, or people who opted in to the attack, for example by using the Low Orbit Ion Canon JavaScript DDoS tool from Anonymous.

“With Anonymous … you’d see those people coming together and launching an attack with a given tool,” Holden said. “With this, yes, you’re seeing multiple types of attacks, multiple tools, and while blended attacks are common, they’re not so common with classic hacktivism, or hacktivism that we’ve witnessed in the past.”

In other words, “we don’t know whether it’s hacktivism or whether it’s not,” said Holden. “There’s nothing really backing up the advertisement that this was a bunch of angry people. If it is, it’s people who have gone out with a particular skill set, or hired someone with a particular skill set, to launch these particular attacks.” But whoever’s involved in these attacks has quite a lot of knowledge related to the art of launching effective DDoS website takedowns, and has access to high-bandwidth servers, which they’ve either compromised, rented, or been granted access to.

Interestingly, the attackers do appear to have taken a page from the Anonymous attack playbook. “We don’t have all the information about which specific techniques have been used against the U.S. banks so far, but the ‘Izz ad-Din al-Qassam Cyber Fighters’ scripts are based on the JS LOIC scripts used by Anonymous as well,” said Jaime Blasco, AlienVault’s lab manager, via email.

But like Holden, Blasco said that the bank website attackers had used much more than just JavaScript. “The number of queries/traffic you need to generate to affect the infrastructure of those targets is very high,” he said. “To affect those targets, you need thousands of machines generating traffic, and … other types of DDoS.”

Source: http://www.informationweek.com/security/attacks/bank-site-attacks-trigger-ongoing-outage/240008314

GoDaddy is currently experiencing a massive DDoS attack. “Anonymous” was quick to claim responsibility, but at this point, there has be no confirmation from GoDaddy. GoDaddy only stated via twitter: “Status Alert: Hey, all. We’re aware of the trouble people are having with our site. We’re working on it.”

The outage appears to affect the entire range of GoDaddy hosted services, including DNS, Websites and E-Mail. You may experience issues connecting to sites that use these services (for example our DShield.org domain is hosted with GoDaddy).

At this point, I would expect GoDaddy to keep its users up to date via it’s twitter feed (http://twitter.com/GoDaddy ). I am not aware of a reachable network status page for GoDaddy.

For fast DDoS protect against your eCommerce site click here.

Source: http://isc.sans.edu/diary.html?storyid=14062&rss