DDoS Attack Specialist Archive

The resumption this week of distributed denial of service attacks against major U.S. banks brought not only more cost and disruption to financial institutions trying keep online services available, but it also raised new questions about the funding and true motives behind the attacks.

A number of service disruptions were reported this week as Izz ad-Din al-Qassam Cyber Fighters lived up to their promise on Pastebin to kick off a third round of DDoS attacks in protest of the continued availability of the movie “Innocence of Muslims” on YouTube. These attacks, however, are much different than the one-and-done types of DDoS attacks preferred by other socially and politically motivated groups.

Banks are no stranger to DDoS attacks, but since September, these attacks in particular have been noteworthy for the amount of traffic generated toward the banks, as well as for their targeting of applications and specific features available on the banking sites, the steady growth in the number of web servers used in the attacks, and the automated tools being used. Add it all up and it equals some hefty funding and know-how, either hackers bred in-house, or contracted from the outside.

“There’s no doubt in my mind that this is well funded at some level,” said Arbor Networks director of security research Dan Holden. “There’s no way this can go on for this long and with this type of investment without someone caring. Historically, if you look at hacktivism, it’s been driven by some sort of incident and usually they can’t drive an operation for this long. Usually they just lose interest.”

Attribution is always challenging in any kind of attack and it’s premature to call these attacks state-sponsored, but there has been skepticism from the outset about this particular campaign. Dmitri Alperovich, cofounder and CTO of security company CrowdStrike, told Threatpost in September the protestations over the movie were a red herring.

“I don’t buy that their motivation is in response to the video; this group has been carrying out attacks for months,” he said. “Their motivation is to send a message that this is what they’re capable of.” Alperovich said the group’s name is the same as the military wing of Hamas and it claims to have a Jihadist cause, he said. “If a terrorist group is interested in sending a message to us, this is one way of doing so. It’s relatively inexpensive and powerful message.”

The group behind these attacks has evolved its capabilities and is using a number of automated toolkits, including Brobot and itsoknoproblembro to carry out not only high-volume attacks of upwards of 70-100 GBps, but they’re able to do so against simultaneous targets. And this is more than just pinging a banking site with hundreds of thousands of synflood calls; the attacks are also application centric. In some cases, they’re going after application log-ins or trying to continuously download large files such as user agreements, policy statements and more.

The attackers are also using compromised web servers to fire off these requests, and according to experts, seem to be using simple Google searches to find vulnerable servers with PHP vulnerabilities or other flaws that are easily exploitable. Web servers have a lot more bandwidth than a compromised home machine, for example, thousands of which make up traditional botnets used in DDoS campaigns. Owning a web server, very much an old-school method of DDoS attacks against targets, is much more efficient for the attacker than waiting for clients to become infected with a Java exploit and malware, for example.

“The average home user has 10 MBps capabilities with broadband, with an upload speed of 1.5 MBps. To use that as a tool to attack the banks, to get 70 GBps, I would need 70,000 users,” said Barry Shteiman, senior security strategist at Imperva. “Web servers by designed are supposed to serve a large amount of users with half or 1 GBps of upload speed. I would need only 70 to 150 servers to get the same result.”

Taking this approach, Shteiman said, keeps costs down for an attacker. Using a Google search can render a long list of vulnerable web servers that are easy to find and difficult to patch. This is much simpler than writing or buying an exploit that bypasses a lot of client-side protections.

“If I know it’s going to take a lot of effort and money and bypass protections on user platforms, I need to find the best vector,” Shteiman said. “On websites, a lot of vulnerabilities are far less patched; we know most organizations are not covering Web threats.”

The banks, meanwhile, are defending well against these attacks, experts said, though they too have to spend more and evolve as attacks do.

“The attackers’ focus on a particular site is increasing because the banks’ defenses are so good at this point,” Arbor’s Holden said. “DDoS is not a set-and-forget type of defense. Because these attacks are so targeted a lot of people are no doubt still involved in defending against them; a lot of folks are not sleeping right now.”

Holden said he’s not surprised given the presumed funding, that the attacks and capabilities have grown.

“They have to in order to keep the campaign growing,” he said. “I expect to see further tool development, possibly targeted tools depending on how a bank website is built and structured. They’re learning about defenses for each particular site. Based on what they learned and what’s working, they are able to create tools with a particular site in mind.”

Source: http://threatpost.com/en_us/blogs/size-funding-bank-ddos-attacks-grow-third-phase-030813

Cloud providers face increasing number of DDoS attacks, as private data centers already deal with today

The eighth annual Worldwide Infrastructure Security Report, from security provider Arbor Networks, reveals how both cloud service providers and traditional data centers are under attack. The report examined a 12-month period and asked 200 security-based questions of 130 enterprise and network operations professionals. The key findings follow:

  • 94 percent of data center managers reported some type of security attacks
  • 76 percent had to deal with distributed denial-of-service (DDoS) attacks on their customers
  • 43 percent had partial or total infrastructure outages due to DDoS
  • 14 percent had to deal with attacks targeting a cloud service

The report concluded that cloud services are very tempting for DDoS attackers, who now focus mainly on private data centers. It’s safe to assume that, as more cloud services come into use, DDoS attacks on them will become more commonplace.

Arbor Networks is not the only company that cites the rise of DDoS attacks on cloud computing. Stratsec, in a report published last year, stated that some cloud providers are being infiltrated in botnet-style attacks.

This should not surprise anyone. In my days as CTO and CEO of cloud providers, these kinds of attacks were commonplace. Indeed, it became a game of whack-a-mole to keep them at bay, which was also the case at other cloud providers that suffered daily attacks.

The bitter reality is that for cloud computing to be useful, it has to be exposed on public networks. Moreover, cloud services’ presence is advertised and the interfaces well-defined. You can count on unauthorized parties to access those services, with ensuing shenanigans.

The only defense is to use automated tools to spot and defend the core cloud services from such attacks. Over time, the approaches and tools will become better, hopefully to a point where the attacks are more of a nuisance than a threat.

The larger cloud providers, such as Amazon Web Services, Hewlett-Packard, Microsoft, and Rackspace, already have good practices and technology in place to lower the risk that these attacks will hinder customer production. However, the smaller cloud providers may not have the resources to mount a suitable defense. Unfortunately, I suspect they will make them the primary targets.

Source: http://www.infoworld.com/d/cloud-computing/cloud-use-grows-so-will-rate-of-ddos-attacks-211876

Nearly two-thirds of companies have experienced at least three denial-of-service attacks in the past year, Ponemon study reports

Organizations are becoming increasingly concerned about system availability as they experience more and more distributed denial-of-service (DDoS) attacks, a new study says.

The study, conducted by the Ponemon Institute and sponsored by Radware, surveyed 705 IT security professionals on issues related to downtime and DDoS.

While security pros have traditionally been focused on preventing data theft or corruption, today’s professionals are more worried about system availability, the study says.

“DDoS attacks cost companies 3.5 million dollars every year,” Ponemon says. “Sixty-five percent reported experiencing an average of three DDoS attacks in the past 12 months, with an average downtime of 54 minutes per attack.

“With the cost for each minute of downtime amounting to as much as $100,000 per minute – including lost traffic, diminished end-user productivity and lost revenues – it is no surprise that respondents ranked availability as their top cyber security priority,” the study says.

Most organizations don’t have the ability to strike back at attackers, according to Ponemon. “While 60 percent say they want technology that slows down or even halts an attacker’s computer, the majority (63 percent) of respondents give their organizations an average or below average rating when it comes to their ability to launch counter measures,” the report states. Three-quarters of organizations still rely on antivirus and anti-malware to protect themselves from attacks, Ponemon says.

Source: http://www.darkreading.com/risk-management/167901115/security/vulnerabilities/240142111/most-organizations-unprepared-for-ddos-attacks-study-says.html

The news stories surrounding hacktivist groups like Anonymous might lead business professionals to think that cyber criminals focus their efforts on government agencies and multinational corporations, skipping smaller companies that receive minimal to no press.

Midsize businesses, however, are just as vulnerable to the ever-popular Distributed Denial of Service (DDoS) attacks hackers use to suspend the services associated with a particular target. Attackers don’t just DDoS targets as a way of voicing political or ideological opinions; dishonest business owners can employ the services of a third-party to cause harm to competitors via digital means.

According to a new report from HostExploit, a community organization that tracks cyber criminals who exploit hosts to deliver crimeware, hackers are using open Domain Name System (DNS) resolvers to launch DDoS attacks against their targets.

DNS servers are responsible for converting hostnames, or domain names, into Internet Protocol (IP) addresses. A DNS resolver searches through one or more name servers to locate the information needed to resolve a client’s request.
Hackers are using misconfigured resolvers, claim the authors of the latest edition of HostExploit’s World Hosts Report, to power a DDoS. According to the report, “an attacker can send rogue DNS requests to a large number of open DNS resolvers and use spoofing to make it appear as if those requests originated from the target’s IP address.” The resolver then responds to the victim’s IP, rather than sending the information to the IP address that submitted the original queries.

DDoS through DNS isn’t new–experts have been discussing it as a method of attack for a decade–but Neal Quinn, chief operating officer of Prolexic, told NetworkWorld, “We have seen [DDoS amplification] recently, and we see it increasing.”

DDoS attacks can have at least a moderate financial impact on a business, depending on how long the organization is affected. Outages can lead to increased operational costs–as loss of service must be addressed on top of other critical tasks–and lead to lost clients or customer refunds, harming revenue as a result. These attacks can also have a longer-lasting impact on a company’s reputation.

DDoS attacks are some of the most difficult to prevent, and common IT solutions–such as over-provisioning, in which an business provisions for several times the expected level of traffic during normal operation–won’t be as effective against efforts amplified using DNS resolvers. Even an Intrusion Detection System (IDS) won’t help as these devices tend to disregard valid packets.

IT departments can rely on a third-party DDoS solution designed specifically to detect and mitigate attacks. Midsize businesses, however, should weigh the risks against the return on investment before subscribing to such services.

Source: http://midsizeinsider.com/en-us/article/hackers-use-dns-resolvers-to-distribute

In the wake of recent distributed denial of service attacks against banks, most institutions are missing a prime opportunity to educate their customers about security, says Gregory Nowak of the Information Security Forum.

“They seem to be regarding [DDoS attacks] as a secret,” says Nowak, a principal research analyst with the ISF.

HSBC Holdings, BB&T Corp. and Capital One are the most recent victims of DDoS attacks. These incidents have spanned five weeks and targeted 10 U.S. banking institutions, including Bank of America, Chase Bank, Wells Fargo, PNC Bank, U.S. Bancorp, SunTrust and Regions Bank. All the attacks are believed to be connected to the hacktivist group Izz ad-Din al-Qassam, which has taken credit on the public online forum Pastebin.

Izz ad-din al-Qassam said it would continue to target U.S. institutions until a YouTube movie trailer believed by the group to be anti-Islamic is removed from the Internet.

After the initial wave of attacks, Nowak went through the affected banks’ websites and couldn’t find any relevant information about what happened, how customers can understand it, as well as the reassurance that their information is safe.

“[Banks} should be taking the opportunity to explain to their customers the difference between denial of service attacks and some sort of hacking attack that actually puts information at risk, because their customers are worried and they don’t need to be,” Nowak says in an interview with Information Security Media Group’s Tom Field [transcript below].

Outlining how organizations should respond to this new wave of hacktivist attacks, Nowak discusses:

Why these DDoS attacks are successful;
Flaws in institutions’ prevention and response plans;
How to properly manage the risks of hacktivism.

Also, don’t miss Nowak’s new webinar on hacktivist attacks: Hacktivism: How to Respond.

Nowak is a principal research analyst for the Information Security Forum, an independent authority on information security. He has worked on ISF research projects on hacktivism, cybercitizenship and securing mobile devices. He also is responsible for ISF’s Information Risk Analysis Methodology (IRAM).

TOM FIELD: For the people out there who aren’t familiar with the Information Security Forum, tell us a little bit about your role with the forum and the work that you folks are doing.

GREG NOWAK: The Information Security Forum is a not-for-profit membership organization with members at the organization level. We have both public and private-sector members and we provide research, tools and methodologies for information security, broadly understood both technical and operational, involving information systems as well as personnel.
Recent Bank Attacks

FIELD: A huge topic for the past week or so has been the series of distributed denial of service attacks against U.S. financial institutions. What are your observations on the attacks that we witnessed against the banks?

NOWAK: I think the first thing to notice is that these are sort of innocent by-stander attacks that have nothing to do with the activities of the bank. They’re motivated generally because the banks are seen as representatives of the United States, and we forget that when we think back to 9/11, the stated reasons for the attacks of 9/11 were actions of the U.S. government, but the stated reasons for the choice of targets was because the U.S. financial system represented America and the World Trade Center was chosen as a target. In the same sense, outside of the United States the distinction between public and private is blurred, and banks and financial institutions are seen as primary representatives of the American economy, the American way of life, and so they’re chosen as targets.
Communication Strategies

FIELD: What’s important for organizations to communicate to people that are hearing of these attacks through the media? And I ask that because I see that these have become very hot topics in the popular media, and everybody’s hearing about them and talking about them. Information about the attacks has been a little bit scant.

NOWAK: I have really been amazed at the nature of media coverage. For example, you referred to DDoS attacks. Everybody understands in the information security business that this is a distributed denial of service attack, and we know what that means. If you look at the mainstream media, they don’t use that term because they figure that most people don’t understand that so they refer to them as cyberattacks. That gets reinterpreted and when they talk about the actors, the actors are referred to as hackers or hacktivists, and then when the stories get quoted you hear stories like, “Major U.S. banks are hacked and your information may be at risk.” I find it surprising because somehow this notion that personal information has been put at risk by these attacks is being created in online discussions when that’s not part of the initial reporting.

The banks that have been affected are missing a great opportunity to communicate and educate their users. I tried visiting the sites, and there’s nothing on any of the bank sites that says, “Here’s what’s going on. Here’s how you can understand it. Your information is safe.” Sitedown.co has provided some up-to-date information about which sites are available, but the banks themselves are not doing a good job of communicating. They seem to be regarding it as a secret. They’re saying some people have access issues. People know they have access issues. They should be taking the opportunity to explain to their customers the difference between denial-of-service attacks and some sort of hacking attack that actually puts information at risk, because their customers are worried and they don’t need to be.

FIELD: Up to this point, only financial institutions seem to have been targeted, but we would be foolish to think that they would be the only targets. What would you say is the message to non-banking organizations that are watching this activity?

NOWAK: First of all, they should notice that the attacks have nothing to do specifically with activities to these banks. They were just chosen as representatives. They’re innocent bystanders in the whole story, and yet suddenly they have to deal with this situation that has taken them by surprise. I think the message is this can happen to any organization and they need to consider it as part of their risk management.
Defending against DDoS

FIELD: We’ve known about distributed denial-of-service attacks for years now. We know how to prevent them and how to protect against them. Why are these DDoS attacks so successful against these financial institutions?

NOWAK: First of all, there’s a matter of leverage. You can now rent botnets to conduct an attack, so it’s a low investment of financial resources, and it doesn’t take such a large number of individuals to coordinate this. If the initial money is available to rent the botnet and obtain the code, then almost anyone with the necessary amount of money can launch an attack. Someone who feels motivated to make some sort of public statement can do so easily on a large scale and take advantage of the reaction to the DDoS attacks to spread their message. People are gravitating towards these attacks because for a relatively small financial investment and investment of time, they can have a disproportionately large effect and get a lot of media attention.

FIELD: But shouldn’t an organization the size of a Chase Bank, PNC or U.S. Bank have the redundancy and the resources that their sites wouldn’t even be affected by this?

NOWAK: They should, and I’m surprised they don’t. One of the messages that I want to spread about this is that people should notice that the geographical distribution of legitimate clients online is different from the geographical distribution and therefore the IP-space distribution of malicious web traffic directed towards these sites. I think if banks and other organizations consider that a little more investment in intelligent routing and segmenting incoming traffic geographically and by IP sub-spaces was taken proactively, then they would be much less affected by these sorts of attacks because only the front-ends are devoted to certain subspaces of the IP space would be overloaded and they would have more capacity for the geography and the IP sub-net identified with most of their customers. And I don’t see that happening. I haven’t seen much discussion of it going on. People talk about adding capacity but I don’t see much use of intelligent routing to decrease the effects of botnet attacks.

FIELD: Is it fair to say from what we know that this is hacktivist activity that we’re seeing?

NOWAK: It’s definitely fair to say that, but my advice is always to not pay too much attention to the motivations of the attacks unless it helps you mount particular countermeasures. And in this case, we know the story leading up to these attacks and the banks, and there’s no way this could be foreseen. Even understanding the motivation of the attackers really doesn’t lead to any changes in the source of countermeasures you’d take for the proactive risk mitigation you’d want to put in place. I would advise people not to spend too much time thinking about the reasons for the attacks, but just thinking generically what they should be doing to prevent these kinds of attacks.

FIELD: If I could ask you this, what benefit do the hacktivist groups gain from attacks such as these? As you say, there’s not a breach involved. Information isn’t being taken as near as we can tell. It’s mischief.

NOWAK: It’s mischief, but also it’s in defense of an ideology, and people will do strange things and devote a lot of effort in defense of their ideologies, and they feel according to their own system of values that they have accomplished something by making a large public statement, again with a relatively small investment of money and time to advance their idea. And whether or not they achieve their end goal and change the world in the way they want to change or have a video removed from the Internet is less relevant than the fact that they see themselves as having accomplished something for spreading the message and making the attempt.
Proper Response

FIELD: We’ve talked about the poor response we’ve seen from organizations. From your perspective, for institutions that have been attacked, what would be the proper response?

NOWAK: First of all, they need to consider this as a significant risk to address in their risk management program. If someone told a retail business that a significant percentage of their physical locations would be blocked and customers who were trying to get access to these locations would not be able to enter the bank or other businesses for an entire day and this would be happening in multiple locations, they would regard that as a critical issue with an immediate response from the top levels of the organization. I’m surprised that the same level of urgency and seriousness of response isn’t occurring for these online attacks that just get as much media attention without as much messaging coming out of the organizations that say here’s what’s going on, here’s what we’re doing about it, your information is not at risk and this is just a traffic jam on the Internet. I think part of the problem is this word cyberattack, which is so vague and suggests that there’s hacking when in fact a more appropriate term in common language would be a traffic jam or slow down, something that communicates the idea that traffic’s being stopped but information itself is not being put at risk.
Preparation Tips

FIELD: For organizations that have not yet been attacked, what’s the proper preparation?

NOWAK: First of all, the Information Security Forum in it’s recent paper on hacktivism has advised our members to conduct simulation to identify what lines of communication the organization would use, to identify spokespeople and make sure there’s a proactive plan to address the media. They should also use all available lines of communication and explain what’s going on. There’s very little information coming out of the banks that have experienced these attacks. I’ve looked at some websites and they have their normal promotional materials there. They don’t have any banner headlines for more information about what has been going on lately, to “please read this.” That’s a missed opportunity for them. Communicating out to the public is important.

Also as I said there are technical measures that could be used and they do take some time and some investment to implement, but I think that it’s a worthwhile measure to take to mitigate the risk of a denial-of-service attack preventing access to the website. This is not something that people should wait for. They can take proactive measures. They shouldn’t look at it as something that they have no defenses against, and they should also make sure that they do have messaging in place and they’re prepared to communicate with the public and the media in advance so if it does happen to them, they’re not looking like they’re unprepared, which is the impression we now get from a lot of the responses we’ve seen.

FIELD: We’ve talked a good deal about external communication. How about internal? What do boards of directors and senior business leaders need to be hearing from their security leaders now?

NOWAK: The good news is that security departments are being taken more seriously and getting a seat at the table more often with the senior leadership, but I think the issue of denial-of-service attacks in particular is not high enough on the agenda. As I said earlier, if they were asked to consider what the level of criticality would be if a large percentage of physical locations for the business were blocked and customers couldn’t get access, they’d start to see how serious a problem this was and that it’s worth doing some proactive investing to mitigate the risk. And if the security folks can come forward and say, ‘Here are the things we need to do technically that will help us mitigate the risk, here is the kind of preparedness we need to have for messaging, here is how we need to cooperate with our legal department and our public relations department so we have something to say in the event this happens,” I think they will respond to this plan because my impression is that not much is happening because people have the general impression that there isn’t much that can be done. I think that with an organized plan that addresses both technical and communications issues, senior leadership could say, “Yes, this is worth investing in. We don’t want to be caught unprepared for this sort of thing.”

FIELD: We’re talking about banking institutions today. We could easily be talking about government organizations, healthcare organizations or universities tomorrow. For any organization concerned that it could be a target next, how would you boil down your advice to them?

NOWAK: It’s possible to be prepared. You should be prepared. You can’t tell when it’s going to happen, so you might as well start getting prepared now. Investigate technical measures that can reduce the risk. Know where your customer base is because it’s likely much more concentrated then the geographical and IP base of your attackers. You can defend against it. Prepare with your public relations and communications department to have messaging ready so if this happens to you, you can communicate clearly to the public and let them know what’s going on and what the actual risks are, because most members of the public think that their information is at risk just from DDoS attacks when in most cases it’s not.

Source: http://www.bankinfosecurity.com/ddos-attacks-what-to-tell-customers-a-5227/p-4