DDoS Protection Specialist Archive

Attackers have been leveraging Shellshockvulnerabilities to deliver malware since the issue was disclosed in late September, and now researchers with Trend Micro have observed a Bash bug payload – detected as TROJ_BASHKAI.SM – downloading the source code of KAITEN malware.

KAITEN is an older Internet Relay Chat (IRC)-controlled malware that is typically used to carry out distributed denial-of-service (DDoS) attacks, so spreading the infection can help the attackers bring down targeted organizations, according to a Sunday Trend Micro post.

“The purpose is to add compromised systems to botnets,” Christopher Budd, global threat communications manager with Trend Micro, told SCMagazine.com in a Monday email correspondence. “In this case these are botnets primarily focused on launching DDoS attacks.”

Getting KAITEN on the system – Linux/UNIX and Mac OS X systems are at risk, Budd said – is not a direct process.

TROJ_BASHKAI.SM connects to two URLs when executed, according to the post. The first URL downloads the KAITEN source code, which is compiled using the gcc compiler and ultimately builds an executable file detected as ELF_KAITEN.SM.

Compiling ensures proper execution of the malware because, if downloaded directly as an executable, the file runs the risk of having compatibility issues with different Linux OS distributions, the post indicates. Furthermore, the file will evade network security systems that only scan for executables.

ELF_KAITEN.SM connects to an IRC server at x[dot]secureshellz[dot]net, joins IRC channel #pwn, and awaits commands, according to the post. Some commands include perform UDP flood, perform SYN flood, download files, send raw IRC command, start remote shell, perform PUCH-ACK flood, and disable, enable, terminate client.

When TROJ_BASHKAI.SM connects to the second URL, KAITEN source code is downloaded and similarly compiled into ELF_KAITEN.A, which is essentially the same as ELF_KAITEN.SM except that it connects to linksys[dot]secureshellz[dot]net[colon]25 and to channel #shellshock, the post indicates.


Source: http://www.scmagazine.com/bash-bug-payload-downloads-kaiten-malware/article/375650/

The editorial Board of the Russia Today TV channel reported the most powerful DDoS attack on their website. This information was published on the website.

“Website RT.com today has been the most powerful DDoS attack for all time of existence of the channel. Power DDoS attack UDP flood on the RT site reached 10 Gbit/s. Thanks to the reliable technical protection of the site, RT.com was unavailable just a few minutes, however, the DDoS attack lasted”, – stated in the message.

Responsibility for hacker attack so far has not been declared.

Website RT.com subjected to DDoS attacks repeatedly. One of the most powerful hacker attacks occurred on February 18, 2013. The work of the RT site in English managed to recover only later, 6 hours after the start of the attack. In August 2012 sites of RT channels in English and Spanish were also under attack. Then the responsibility it has assumed hacker group AntiLeaks, which opposes the project WikiLeaks Julian Assange.

Source: http://newstwenty4seven.com/en/news/russia-today-zajavil-o-moschnejshej-ddos-atake-na-svoj-sajt

New study warns of rising smokescreening practice in cyberattacks

The top takeaway of a new study suggests that more and more frequently, distributed denial of service (DDoS) attacks are being used as a smokescreen, distracting organizations while malware or viruses are injected to steal money, data, or intellectual property.

The white paper, the 2014 Neustar Annual DDoS Attacks and Impact Report: A Neustar High-Tech Brief, reveals insights into this trend based on a survey of 440 North American companies, comparing DDoS findings from 2013 to 2012.

Over the last year, the study found, DDoS attacks evolved in strategy and tactics. More than half of attacked companies also reported theft of funds, data, or intellectual property. These cyber-attacks are intense but quick, more surgical in nature than sustained strikes whose goal is to extend downtime.

This year’s survey also demonstrated that the landscape of DDoS attacks is changing. The number of attacks is up, but attack duration is down, meaning that attacks are becoming more intense and harder to catch. Larger attacks are more common, but most attacks still are less than 1 Gbps. Although companies report a greater financial risk during a DDoS outage, most still rely on traditional defenses like firewall, rather than purpose-built solutions like DDoS mitigation hardware or cloud services.

Among the study’s other findings:

  • Virus and malware insertion during DDoS attacks was common, with 47 percent of companies who experienced a DDoS attack and data breach simultaneously reported the installation of a virus or malware.
  • The industry sees DDoS as a growing threat, with 91 percent of high-tech respondents viewing DDoS as a similar or larger threat than just a year ago.
  • 87 percent of companies attacked were hit multiple times.
  • Nearly twice as many businesses were hit: in 2013, 60 percent of companies were DDoS-attacked, up from 35 percent in 2012.  And these attacks were of shorter duration in 2013.
  • Attacks between 1 and 5 Gbps almost tripled.
  • Customer support is the leading area of impact. For 53 percent of tech companies that suffered an outage, customer service was cited as the area most affected, while 47 percent named brand/customer confidence as the most affected.
  • Collectively, non-IT/security groups see the greatest cost increases in the event of a DDoS attack.
  • High-tech revenue losses are in line with those of other sectors. In 2013, DDoS was just as risky for high-tech as for other verticals, with 47 percent reporting revenue risks of more than $50 K per hour and 31 percent hourly risks of more than $100 K. That means that daily revenue risks are often measured in seven figures.

The conclusion of the report is that there is a trend towards shorter DDoS attacks, but also more attacks from 1 to 5 Gbps — quicker, more concentrated strikes, that suggest a growing presence of a highly damaging tactic called DDoS smokescreening.

Smokescreening distracts IT and security teams with a DDoS attack, allowing criminals to grab and clone private data to siphon off funds, intellectual property, and other information.  In one case, thieves used DDoS to steal bank customers’ credentials and drain $9 million from ATMs in just 48 hours. Such crimes have caused the FDIC to warn about DDoS as a diversionary tactic.

The study urges businesses to watch for the warning signs, including shorter, more intense attacks with no extortion or policy demands.  It also counsels them to follow best practices such as not assigning all resources to DDoS mitigation, but dedicating some staff to monitoring entry systems during attacks, making sure everything is patched with up-to-date security and to establish dedicated DDoS protection.

Rodney Joffe, Neustar senior VP and senior technologist notes, “The stakes are much higher. If you’re a criminal, why mess around with extortion when you can just go ahead and steal — and on a much greater scale?”

Source: http://www.bsminfo.com/doc/smokescreening-is-the-latest-danger-in-ddos-attacks-0001

DDoS: A problem we can’t ignore

If your credit union has a server with public access, you have no choice but to consider the threat of a DDoS attack with the utmost seriousness.  Now that the larger banks have shored up their defenses, malevolent actors are focusing their sights on a new line of targets: smaller financial institutions.

Just how seriously your institution could be impacted by a DDoS attack depends on how much of your credit union’s business and reputation depends on access and availability of your online services. If your online banking operations or other online services are down for an extended period of time, there is the potential for significant damage to  your credit union’s reputation.

DDoS preparedness is best considered to be  a strategy. The approach should be similar to the strategy used for disaster recovery: understand the risk, know your environment, perform up-front front planning and preparation, document your findings and your plans, do occasional tests of your plan, and–finally–revisit  your strategy on an ongoing basis.

A 7 Point Approach to DDoS Preparedness

1. Conduct a company-wide DDoS risk assessment

Every credit union should be accustomed to the process of documenting formal risk assessments, taking into consideration both NCUA guidance and best practices. Conducting a company-wide DDoS risk assessment is the essential first step in DDoS preparedness.

By evaluating your environment and taking into account specific points of exposure, you should be able to zero-in on most likely targets, such as home banking, public facing  websites and other online services.

With this information in-hand you should then work to identify the potential impact of an attack on your business. What losses could your institution incur in the form of lost revenue or reputational damage?

2. Create an action plan to prepare for and respond to DDoS attacks

Armed with the information you derive from your risk assessment, you are then better positioned to move to the next step: create an action plan to prepare for and respond to DDoS attacks.

If you haven’t prepared for an attack, your response is likely to be slow, disorganized and therefore ineffective.

We recommend that you develop a plan – much like the plan that you already have for the Unintended Disclosure of Non-Public Member Information. This should augment your existing Incident Response Plan, with a focus on the various DDoS-centric activities.

As with disaster recovery planning, the use of different scenarios to help shape specific responses is a constructive way to go about developing and detailing this plan.  Taking  into account the various types of DDoS attacks, such as Protocol Attacks, Application Attacks or Bandwidth Attacks,you can adjust scenario duration and plans based on the specific servers subjected to the attack.

An extremely important element of your action plan, which, unfortunately, is often forgotten or ignored, is to include the specific steps you will take to monitor the other systems that are not directly impacted by the DDoS.

Today DDoS attacks are frequently used as a smokescreen to create a crisis designed to distract your staff while something else – usually more nefarious – occurs elsewhere in your credit union.  A DDoS attack needs to be directly addressed, but this should also trigger heightened awareness for of other attacks that may be occurring against your enterprise.

3. Know your infrastructure components

How well documented is your enterprise infrastructure? Do you have a complete inventory and map of all of your components? How frequently is this updated?

Having one or more IT people that know everything about your systems isn’t enough. If your infrastructure inventory isn’t documented and current, you are not prepared for an attack. Your enterprise infrastructure inventory will help you focus on the specific types of attacks you can withstand, and help you identify the best practice approaches to DDoS defense for your environment.

4. Understand Your Infrastructure Components

When I spoke with several credit union executives about their state of DDoS preparedness, many reported that they would simply rely on their ISP to fix things. As Benjamin Franklin famously said, “Failing to prepare is preparing to fail.”

Don’t wait for an attack to learn the extent of your ISP’s defensive capabilities. It is essential that you proactively develop and document response plans with all of your online service providers.

A few things to document and understand about your ISP:

  • Do you have a calling tree and support numbers, contacts and account numbers readily available to you?  And, do you know where to find them if your site or network is down?
  • Do you understand your ISP’s options for defending against DDoS attacks?  Do they use black hole routes, upstream filtering or cloud-based mitigation?
  • What are the SLA’s within your contract with your ISP?

A key question that every credit union must also address is whether to depend on their ISP for DDoS protection, or to contract with a DDoS mitigation services provider.

While an ISP-based solution might seem to make sense, there are several factors to consider.  If your organization is multi-homed, all your ISPs would need to participate. Otherwise, bandwidth availability during attacks would be spotty. It is also difficult to coordinate an active mitigation between multiple ISPs. Does your organization want to be the one coordinating this response? If not, then selecting and experienced, third-party DDoS protection provider should be an essential part of your plan.

5. Implement general rules to help mitigate DDoS attacks

This step is one that your IT team should already have as part of their general operating procedures. If not, make it an immediate priority. The following are general rules to help defend against a DDoS attack. They should only be used as a guide, since they will not stop all attacks, especially some of the more complex varieties.

•          Turn off all unnecessary ports and protocols

•          Implement an IP blacklist

•          Block invalid and malformed packets

•          Configure and harden network equipment

Ongoing vulnerability assessments will help you to validate that you’ve properly configured and protected your environment against these ever-evolving threats.

6. Conduct a post-attack analysis after a DDoS attack

While it is crucial to have a plan in place to address a DDoS attack, it is equally important to perform a post-attack analysis. Some of the items to consider documenting an attack include:

  • Type of attack (Volume, Protocol, Application Layer)
  • What equipment helped you mitigate, even if it was only partially successful?
  • What attack traffic had the most impact and why?

This analysis will help you evaluate the effectiveness of your response plan, identify any holes in your documentation, and also help you determine whether or not you need to replace or upgrade infrastructure components. If you don’t have the budget for more resilient infrastructure, you may want to think about outsourcing to a security service provider.

7. Leverage monitored and managed services

Partnering with an experienced third-party DDoS mitigation provider has significant benefits.  Such providers have deep experience in dealing with DDoS attacks and offer a wide array of equipment and resources.  You can use their services on demand—for example, a DNS redirect service—or have them monitor your network 24/7 for signs of attacks.

Source: https://www.cuinsight.com/preparing-for-ddos-an-it-operations-perspective.html

A Denial of Service essentially happens when a hacker/attacker floods a target machine with malicious traffic until the time all its resources are utilised and exhausted resulting in the system going offline. Distributed denial of service is essentially the same, only that it enlists other machines/computers in the attack: the stakes, as they say, are much amplified here. Here’s a list of 8 major DDoS Attacks.

1.UDP Flood

A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol. Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will: check for the application listening at that port, see that no application listens at that port and reply with an ICMP Destination Unreachable packet.

2.Ping of Death

A ping of death is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A correctly formed ping message is typically 56 bytes in size, or 84 bytes when the Internet Protocol (IP) header is considered. Historically, many computer systems could not properly handle a ping packet larger than the maximum IPv4 packet size of 65535bytes. Larger packets could crash the target computer. In early implementations of TCP/IP, this bug was easy to exploit. This exploit affected a wide variety of systems, including Unix, Linux, Mac, Windows, printers, and routers.

3.Reflected / Spoofed attack

A distributed denial of service attack may involve sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target.


A Nuke is an old denial-of-service attack against computer networks consisting of fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data, thus slowing down the affected computer until it comes to a complete stop.


Slowloris is a piece of software written by Robert “RSnake” Hansen which allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request.

6.Unintentional DDoS

This describes a situation where a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story.

7.Zero Day DDoS

General term used to describe vulnerabilities and exploits that are still new and haven’t been patched yet.

8.SYN Flood

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

Source: http://www.efytimes.com/e1/fullnews.asp?edid=137389