DDoS Attack Specialist Archive

By David Meyer , 9 May, 2012 09:11

Hackers associated with Anonymous forced Virgin Media’s website offline for at least an hour on Tuesday, but the file-sharing service whose blockage sparked the protest has condemned the attack.

In an operation dubbed OpTPB, Anonymous hackers apparently subjected Virgin’s site to a distributed denial-of-service (DDoS) attack that began at 5pm. Twitter messages referring to OpTPB suggested that it was a response to Virgin Media’s blocking of The Pirate Bay (TPB), which began last week after a court ordered it.

Although Virgin admitted to an hour-long downtime, the site was still not working at the time of writing, around 16 hours after the attack began.

“DDoS and blocks are both forms of censorship,” The Pirate Bay told followers on its Facebook page, referring to “some random Anonymous groups [having] run a DDoS campaign against Virgin Media and some other sites”.

“We’d like to be clear about our view on this: We do NOT encourage these actions,” TPB said. “We believe in the open and free internets, where anyone can express their views. Even if we strongly disagree with them and even if they hate us. So don’t fight them using their ugly methods.”

The file-sharing service went on to suggest that those wanting to help it could set up a tracker, join or start a local Pirate Party, write to their political representatives or develop a new P2P protocol.

According to the BBC, Virgin said in a statement that it has to comply with court orders, but believes that “tackling the issue of copyright infringement needs compelling legal alternatives, giving consumers access to great content at the right price, to help change consumer behaviour”.

“Copyright defenders, including the British recorded music industry body BPI, have argued that illegal copies of films, books and music made available on file-sharing sites destroy creative industry jobs and discourage investment in new talent,” the ISP added.

The court order followed a ruling in February which established that TPB was infringing on copyright by providing a service that people use to unlawfully share copyrighted material.

TPB was not itself represented at the hearing that led to that ruling, but the judge, Mr Justice Arnold, argued that there was little point in trying to get the site’s proprietors into court when even the authorities in Sweden, TPB’s home country, had failed to do so.

Virgin Media was the first ISP to carry out the block ordered last week, but others covered by the same court order include Sky, Everything Everywhere, TalkTalk and O2. BT is not yet subject to the order as it has requested more time to assess the implications.

Source: http://www.zdnet.co.uk/blogs/communication-breakdown-10000030/pirate-bay-condemns-virgin-media-hack-10026118/

TrustSphere says its TrustVault product helps crucial emails get through–even in the midst of a denial of service attack–by correctly identifying trusted senders.

As annoying as spam is, an overactive spam filter is almost worse when it prevents important messages from getting through.

A company called TrustSphere says the TrustVault product it introduced this week can act as a counterweight to the spam filter, using a type of “social graph” to identify trusted senders and allow their messages to get through–even in the midst of a crisis such as a distributed denial of service attack on an executive’s email account.

“Inside the the organization, we’re effectively mapping who’s speaking to whom and turning that into an enterprise social graph,” Manish Goel, CEO of TrustSphere, said in an interview. “We’re tracking who’s speaking with whom and how often–what’s the cadence of communication.” In that way, TrustVault can identify the trustworthy senders and allow their messages to go through, even if they would otherwise be blocked by a spam filter.

So far, this social graph is based entirely on the exchange of email, although TrustSphere is working on ways of integrating social media and voice over Internet protocol communications for a more complete picture, Goel said. But TrustSphere is applying elements of social networking theory such as Dunbar’s number, anthropologist Robin Dunbar’s concept that humans can only track a limited number of relationships, often theorized as about 150, and rely on “circles of trust” for more extended relationships. In this way, TrustSphere models trustworthy connections at the organizational level, as well as at the individual level. TrustVault is also linked to a related service, TrustCloud, which tracks the reputation of email accounts across the Internet.

TrustSphere doesn’t filter the content of the messages at all, looking only at the pattern of communication and touching only the email header fields, Goel said. The service does detect email authentication methods, such as the use of Sender Policy Framework tagging, but it’s counted as an indicator of trustworthiness rather than a final verdict, he said.

Messages cleared by TrustVault can still go through anti-virus and spyware scans, and even previously trusted senders can be screened out if they start exhibiting suspicious behavior, Goel said. But sometimes letting the right messages through can be as important as keeping the wrong ones out. For example, corporations targeted by activists or hactivists sometimes have the email accounts of top executives rendered useless when they are flooded by messages sent by angry consumers or generated by bots. With TrustVault, the messages from known senders could be delivered to the executive being targeted, while all the rest would be routed for review by an administrative assistant.

One of the company’s oldest customers, the doctors.net.uk social network for physicians in the U.K., has been using a version of the same technology to allow email that uses words like “Viagra” or “penis” to get past spam filters when those words are used in a legitimate medical context, rather than for spam or pornographic promotions, Goel said.

“This also allows you to turn up the threshold on the aggressiveness of your spam filters without missing messages,” Goel said. “I liken this to why cars have brakes–to allow you to go faster. Spam filtering is very much focused on identifying the bad guys. We’re using the good and the bad to improve the overall security infrastructure.”

Founded in Singapore, TrustSphere is just now bringing its product to the U.S. market.

Source: http://www.informationweek.com/thebrainyard/news/email/232901586

User forum Whirlpool was hit by a distributed denial-of-service (DDoS) attack last night, according to the site’s hosting provider BulletProof Networks.

Although BulletProof Networks chief operating officer (COO) Lorenzo Modesto first said that Whirlpool was the only one of its customers to be affected by the attack, he said later that its public and private managed cloud customers were experiencing intermittent degraded network performance also.

“BulletProof customers have been kept in the loop throughout (per our standard procedures),” Modesto said.

Modesto added that BulletProof had discussed the issue with Whirlpool, resulting in the site being offline last night while the provider gathered more information. The site is back online this morning.

“We made the decision to bring Whirlpool back online in the early hours of this morning through one of our international [content distribution network points of presence] that are usually used to deliver local high-speed content to the offshore users of customers like Movember,” Modesto said.

“We’re continuing the forensics just in case they’re needed and are keeping an eye Whirlpool,” he added.

The attack had come from servers in the US and Korea, according to BulletProof.

“We’ve also been able to record server addresses and other relevant details and have escalated the source servers to the relevant providers in Korea and the US,” he said. “If we need to, we’ll pass all details onto the [Australian Federal Police] with whom we’ve built a good relationship, but we’ll see how this pans out for the moment.”.

This has not been the first DDoS attack to hit the popular site. Last June it experienced ten hours of downtime from a DDoS attack.

BulletProof Networks had also collected internet protocol addresses from that attack, but decided not to prosecute as a “sign of good will”, saying that DDoS was recognised more as a protest than a crime.

However, not all DDoS perpetrators have received the same treatment in the past. Recently Steven Slayo, who was part of the anonymous band which launched attacks against government sites last year over the government’s planned mandatory internet service provider level internet filter was taken to court over his actions.

He pleaded guilty, but escaped criminal conviction because the magistrate deemed him an “intelligent and gifted student whose future would be damaged by a criminal record”.

Source: http://www.zdnet.com.au/whirlpool-hit-by-ddos-attack-339308730.htm

The Wireshark development team has released version 1.2.14 and 1.4.3 of its open source, cross-platform network protocol analyser. According to the developers, the security updates address a high-risk vulnerability (CVE-2010-4538) that could allow a remote attacker to initiate a denial of service (DoS) attack or possibly execute arbitrary code on a victim’s system.

Affecting both the 1.2.x and 1.4.x branches of Wireshark, the issue is reportedly caused by a buffer overflow in ENTTEC (epan/dissectors/packet-enttec.c) – the vulnerability is said to be triggered by injecting a specially crafted ENTTEC DMX packet with Run Length Encoding (RLE) compression. A buffer overflow issue in MAC-LTE has also been resolved in both versions. In version 1.4.3, a vulnerability in the ASN.1 BER dissector that could have caused Wireshark to exit prematurely has been corrected.

All users are encouraged to upgrade to the latest versions. Alternatively, users that are unable to upgrade to the latest releases can disable the affected dissectors by selecting “Analyze”, then “Enabled Protocols” from the menu and un-checking “ENTTEC” and “MAC-LTE”.

More details about the updates, including a full list of changes, can be found in the 1.2.14 and 1.4.3 release notes. Wireshark binaries for Windows and Mac OS X, as well as the source code, are available to download and documentation is provided. Wireshark, formerly known as Ethereal, is licensed under version 2 of the GNU General Public Licence (GPLv2).

Source: http://www.h-online.com/open/news/item/Wireshark-updates-address-vulnerabilities-1168888.html

Wikileaks isn’t the only site struggling to stay up these days because service providers are pulling their support. It appears that at least one person who wants to provide mirror access to Wikileaks documents is having the same trouble.

Recently we heard from a user who mirrored the Cablegate documents on his website. His hosting provider SiteGround suspended his account, claiming that he “severely” violated the SiteGround Terms of Use and Acceptable Use Policy. SiteGround explained that it had gotten a complaint from an upstream provider, SoftLayer, and had taken action “in order to prevent any further issues caused by the illegal activity.”

SiteGround told the user that he would need to update his antivirus measures and get rid of the folder containing the Wikileaks cables to re-enable his account. When the user asked why it was necessary to remove the Wikileaks folder, SiteGround sent him to SoftLayer. The user asked SoftLayer about the problem, but the company refused to discuss it with him because he isn’t a SoftLayer customer. Finally, SiteGround told the user that SoftLayer wanted the mirror taken down because it was worried about the potential for distributed denial of service (DDOS) attacks. When the user pointed out that no attack had actually happened, and that this rationale could let the company use hypothetical future events to take down any site, SiteGround said that it was suspending the account because a future DDOS attack might violate its terms of use.

If this sounds like a lame excuse, that’s because it is a lame excuse. It’s incredibly disappointing to see more service providers cutting off customers simply because they decide (or fear) that content is too volatile or unpopular to host. And the runaround that this user received from his host and its upstream provider demonstrates the broader problems with the lack of any real transparency or process around such important decisions.

Internet intermediaries — whether directly in contract with their users or further up the chain — need to stick up for their customers, not undermine their freedom to speak online. As we’ve said before, your speech online is only as free as the weakest intermediary.

This incident shows that censorship is a slippery slope. The first victim here was Wikileaks. Now it’s a Wikileaks mirror. Will a news organization that posts cables and provides journalistic analysis be next? Or a blogger who posts links to news articles describing the cables? If intermediaries are willing to use the potential for future DDOS attacks as a reason to cut off users, they can cut off anyone for anything.

EFF urges SiteGround, SoftLayer and other service providers to champion user rights and say no to online censorship.

Source: http://www.eff.org/deeplinks/2010/12/weakest-links-host-buckles-when-upstream-provider