DDoS Attack Specialist Archive

Researchers at network security vendor Arbor Networks are warning of an increasingly strengthening tool being used by cybercriminals to conduct powerful distributed denial-of-service attacks (DDoS).

The tool, called MP-DDoser or IP-Killer, was first detected in December 2011 and, according to Jeff Edwards, a research analyst at Chemlsford, Mass.-based Arbor Networks Inc., the tool’s authors are making progress in eliminating flaws and adding improvements.   The active development is boosting the tool’s attack capabilities and advancing its encryption algorithm to protect its botnet communications mechanism. Arbor released a report analyzing MP-DDoser’s (.pdf) capabilities and improvements.

“The key management is quite good, and the buggy DDoS attacks are not only fixed, but now include at least one technique … that may be considered reasonably cutting edge,” wrote Edwards, a member of Arbor’s security engineering and response team, in a blog entry Thursday.

Edwards said the “Apache Killer” technique, which can be deployed by the tool, is designed to flood requests to Apache Web servers, overwhelming the memory and ultimately causing it to crash. The technique is considered low-bandwidth, making it difficult to filter out the bad requests. A less successful form of the attack was used by a previous botnet, Edwards said, but the MP-DDoser authors appear to have incorporated it with some improvements.

“A review of the [IP-Killer] bot’s assembly code indicates that it does indeed appear to be a fully functional, working implementation of the Apache Killer attack,” Edwards wrote. “It is therefore one of the more effective low-bandwidth, ‘asymmetrical’ HTTP attacks at the moment.”

Asymmetric DDoS attacks typically use less-powerful packets to consume resources or alter network components, according to the United States Computer Emergency Readiness Team (US-CERT). Attacks are meant to overwhelm the CPU and system memory of a network device, according to US-CERT.

The steady increase and easily obtainable automated DDoS attack tools have put the attack technique in the hands of less-savvy cybercriminals. Arbor Networks’ Worldwide Infrastructure Report 2012 detailed a steady increase in powerful attacks over the last five years. The report, which surveyed 114 service providers, found that lower-bandwidth sophisticated attacks like MP-DDoser are becoming alarming.

MP-DDoser, IP-Killer botnet communications improvements
The MP-DDoser botnet does not spread spam or malware, making it more effective at conducting DDoS campaigns, according to Edwards.

The authors of MP-DDoser are also employing encryption and key management as part of network communications, Edwards said. Encrypting communications is becoming more common in malware to make it more difficult for investigators to trace the transmissions between the bot and the command-and-control server. Edwards called the MP-DDoser author’s use of encryption a “home brew” algorithm, making decryption even more difficult for researchers.

“All in all, MP-DDoser uses some of the better key management we have seen. But of course, at the end of the day, every bot has to contain – or be able to generate – its own key string in order to communicate with its C&C, so no matter how many layers of encryption our adversary piles on, they can always be peeled off one by one,” Edwards wrote.

Source: http://searchsecurity.techtarget.com/news/2240153127/Arbor-Networks-warns-of-IP-Killer-MP-DDoser-DDoS-tool

The San Diego County Registrar of Voters’ website went out of service on election night because a firewall recognized an attempt to attack the site, officials said today, adding that an investigation was being conducted.

Sdvote.com went down soon after initial results were posted after 8 p.m. Tuesday, and the site remained inoperative for about two hours. Access to the site was also spotty after midnight.

Residents and local politicos use the site to track results. The county also uses its information technology to send a direct feed of results to news media, but that feed was not interrupted.

According to a county statement, sdvote.com began receiving well over 1 million hits per minute from a single Internet protocol address around 8:15 p.m., so a firewall that recognized suspicious activity shut down outside access to county websites.

Investigators said they believe the “denial of service” attack was launched against the site to prevent legitimate users from obtaining information.

It was unknown if the attack was meant to disrupt the election itself, according to the county.

IT vendor Hewlett Packard ruled out any hardware or software issues, and there was plenty of capacity for the number of users who tried to use sdvote.com, according to the county.

County officials said they were working with a security team and Hewlett Packard to find who or what was responsible for the attack, and reviewing ways to keep such an event from taking down the site in the future.

Source: http://www.kpbs.org/news/2012/jun/07/county-says-its-voting-results-website-was-hacked-/

Last year there was an odd incident in South Korea, where a widely distributed computer game appeared to be infected with malware (software that secretly uses the PC it is on for criminal activity, including stealing valuable data from the PC it is on). What caught the attention of South Korean military intelligence was the fact that the malware was hidden in every copy of this game and, at one point, many of the 100,000 infected PCs tried to shut down the air traffic control system at a major South Korean airport.

Further investigation revealed that the airport attack was part of a growing Cyber War campaign by North Korea against government and military web sites in South Korea. One of the most disruptive North Korean Cyber War weapons was DDOS (distributed denial of service) attacks. These are carried out by first using a computer virus (often delivered as an email attachment or, in this case, via a game), that installs a secret a Trojan horse type program, that allows someone else to take over that computer remotely, and turn it into a “zombie” for spamming, stealing, monitoring or DDOS attacks to shut down another site. There are millions of zombie PCs out there, and these can be rented, either form spamming or lunching DDOS attacks. Anyone with about $100,000 in cash, including North Korea, could carry out attacks. You can equip a web site to resist, or even brush off, a DDOS attack, and some of those attacked ware prepared. But others were not. The South Korea airport was disrupted for several hours.

Last year was the third time since 2009 that someone, apparently North Korea, has launched DDOS attacks, and attempted to hack into South Korean networks. But part of this latest DDOS effort was carried out by a North Korean botnet of zombie PCs obtained by selling the malware infected games. Further investigation found that the South Korean creator of the games had been financed by North Korea agents, who provided the malware payload. These games were made available for sale on South Korean web sites. Police are still inspecting the malware, which may have been stealing data from infected PCs, in addition to be part of a botnet of PCs used for DDOS attacks.

Source: http://www.strategypage.com/htmw/htiw/articles/20120607.aspx

Using Service Providers to Manage DDoS Threats

As you’ve no doubt seen in recent years, hactivists (hackers who attack for a cause) such as Anonymous and LulzSec are becoming increasingly bold in their attacks on corporate ­America. Using the Internet as a venue, they are levying attacks using hundreds or thousands of zombie computers to overwhelm victims’ bandwidth and servers. These distributed denial-of-service (DDoS) attacks can last for minutes or days, while leaving your employees and ­customers without access to online resources.

Many options are available for protecting against, and mitigating the effects of, a DDoS attack. However, with the increasing use of third-party service providers, your organization must consider whether and how these providers can fit into a comprehensive and strategic DDoS protection plan. The good news is that these providers likely have far more resources and know-how than your own organization when it comes to fighting against DDoS attacks. The trick will be to proactively engage with providers to ensure that the full force of these ­resources will be effectively leveraged for your own organization’s needs.

In this report, we examine how you can combine your protections with those of third-party service providers to protect against and/or withstand DDoS attacks. One of the most ­important takeaways is that you must prepare in advance. You cannot wait until after the DDoS hits to implement these technologies or coordinate protection with your service providers.

Source and to download this report: http://reports.informationweek.com/abstract/21/8817/security/strategy-using-service-providers-to-manage-ddos-threats.html

NEW DELHI: A day after messing with servers maintained by Reliance Communications, Anonymous, an international hacker collective, defaced two websites belonging to BJP on Sunday. Through its Twitter account (@opindia_back) it announced thatwww.mumbaibjp.org and www.bjpmp.org.in were hacked by the group. After the hacking, the group posted a message to web users, asking them to organize protests against “web censorship” in India on June 9.

While the message was displayed on the homepage of www.mumbaibjp.org, on www.bjpmp.org.in it was inserted as a page at bjpmp.org.in/ads/anon.html. On Mumbai BJP website the message was accompanied by a catchy tune embedded through a YouTube link.

“Today they took away your right to use a few websites… day after tomorrow they will take away your freedom of speech and no one will be there to speak for you. Speak Now or Never,” the message read. The hackers said that people should print out or buy Guy Fawkes Masks and wear them while protesting against web censorship in Bangalore, Mangalore, Kochi, Chennai, Vizag, Delhi, Mumbai and Hyderabad on June 9.

TOI reached out to Anonymous though Twitter, asking why it defaced BJP websites. “”Just needed a website to display our message,” said the person managing @opindia_back.

The Ion, who is likely a part of Anonymous and who uses @ProHaxor alias on Twitter, added, “BJP are the opposition they should have stopped this or should have organised a protest they did not do any.”

Incidentally, CERT-IN, the nodal agency in India for monitoring security and hacking incidents within the country’s cyberspace, said in a report on Sunday that hackers are targeting Indian websites. “It is observed that some hacker groups are launching Distributed Denial of Service (DDoS) attacks on websites of government and private organizations in India,” the report said and asked network administrators to keep vigil.

Anonymous started attacking websites belonging to government agencies and companies like Reliance Communications last week after internet service providers blocked several websites in the country on the basis of an order by Madras high court. Anonymous says the blocking of websites is illegal and suppression of freedom of speech. On Friday it held a virtual ‘press conference’ and released a list of websites that were allegedly blocked on the internet service provided by Reliance Communications even though there was no legal requirement for the ISP to do so. The hackers said they stole the list from Reliance’ servers. At the same ‘press briefing’ the group called on Indian people to organize protests against web censorship on June 9.

In the last few months, Anonymous has organized or played a dominant role in real world protests against what it perceives censorship and abuse of power. The most popular of these protests has been Occupy Wall Street in the US. Though there were a number of groups and individuals involved in these protests Anonymous had played a key role in spreading the word.

Source: http://timesofindia.indiatimes.com/tech/news/internet/Anonymous-hacks-BJP-websites-wants-people-to-protest-against-web-censorship/articleshow/13576173.cms