DDoS Protection Specialist Archive

A Denial of Service essentially happens when a hacker/attacker floods a target machine with malicious traffic until the time all its resources are utilised and exhausted resulting in the system going offline. Distributed denial of service is essentially the same, only that it enlists other machines/computers in the attack: the stakes, as they say, are much amplified here. Here’s a list of 8 major DDoS Attacks.

1.UDP Flood

A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol. Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will: check for the application listening at that port, see that no application listens at that port and reply with an ICMP Destination Unreachable packet.

2.Ping of Death

A ping of death is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A correctly formed ping message is typically 56 bytes in size, or 84 bytes when the Internet Protocol (IP) header is considered. Historically, many computer systems could not properly handle a ping packet larger than the maximum IPv4 packet size of 65535bytes. Larger packets could crash the target computer. In early implementations of TCP/IP, this bug was easy to exploit. This exploit affected a wide variety of systems, including Unix, Linux, Mac, Windows, printers, and routers.

3.Reflected / Spoofed attack

A distributed denial of service attack may involve sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target.

4.Nuke

A Nuke is an old denial-of-service attack against computer networks consisting of fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data, thus slowing down the affected computer until it comes to a complete stop.

5.Slowloris

Slowloris is a piece of software written by Robert “RSnake” Hansen which allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request.

6.Unintentional DDoS

This describes a situation where a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story.

7.Zero Day DDoS

General term used to describe vulnerabilities and exploits that are still new and haven’t been patched yet.

8.SYN Flood

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

Source: http://www.efytimes.com/e1/fullnews.asp?edid=137389

Security researchers have uncovered a recent distributed denial-of-service (DDoS) attack that used at least 162,000 WordPress-powered websites to knock another site offline.

The technique made it possible for an attacker with modest resources to greatly amplify the bandwidth at its disposal. By sending spoofed Web requests in a way that made them appear to come from the target site, the attacker was able to trick the WordPress servers into bombarding the target with more traffic than it could handle. Besides causing such a large number of unsuspecting sites to attack another one, the attack is notable for targeting XML-RPC, a protocol the sites running WordPress and other Web applications use to provide services such as pingbacks, trackbacks, and remote access to some users.

Researchers from security firm Sucuri recently counted more than 162,000 legitimate WordPress sites hitting a single customer website. They suspect they would have seen more if they hadn’t ended the attack by blocking the requests.

“Can you see how powerful it can be?” Sucuri CTO Daniel Cid wrote in a blog post published Monday. “One attacker can use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file.”

The result: the unidentified target website was flooded with hundreds of requests per second. Hundreds of requests per second may not sound like much, especially when compared with recent attacks, some of which reached volumes close to 400 gigabits per second. It’s important to remember that the XML-RPC traffic is directed at a targeted site’s layer 7 (aka application layer), which handles HTTP, FTP, DNS, and several other communications protocols. Many DDoS techniques direct torrents of traffic at a much lower level, usually in the network layer (aka layer 3). Layer 7 attacks frequently require much less junk data to be effective.

Cid’s blog post contains plenty of useful information about DDoS attacks that abuse XML-RPC, including this scanner that will indicate whether a specific Web address was observed participating in the attack Sucuri blocked. The post also provides instructions that operators of WordPress sites can follow to prevent their servers from being abused to carry out these types of attacks. The technique involves adding the following code to a site theme:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );

Cid doesn’t say if there are any negative consequences that will result from adding the filter. Since XML-RPC provides useful and possibly needed functionality, readers are advised to carefully consider the pros and cons before applying such a move to a production server. Readers who know more about the way the XML-RPC protocol is implemented in WordPress and the effects of the above filter are encouraged to share their knowledge in the comments.

The WordPress-enabled attacks are just one technique in a growing arsenal of powerful DDoS weapons. Other implementations include the abuse of the Internet’s time-synchronization protocol and the exploitation of open domain name system servers to greatly amplify traffic. Attackers have also waged extremely powerful DDoS campaigns using botnets of WordPress servers. The growing body of attacks shows that there’s no shortage of ways to inflict crippling damage on the Internet.

Source: http://arstechnica.com/security/2014/03/more-than-162000-legit-wordpress-sites-abused-in-powerful-ddos-attack/

Cloud DDoS protection provider, DOSarrest’s Proxy Defense has been named ‘security product of the year’ at the first UK Cloud Awards that took place on Wednesday evening during Cloud Expo. Alex Hilton, the Cloud Industry Forum’s CEO, praised the quality of the entries, while the keynote speaker, Outsourcery’s joint-CEO and BBC ‘Dragon’, Piers Linney used the occasion to describe how the cloud has come of age.

“We are delighted to have won this accolade for our DDoS Protection service,” said Mike Gordon from the DOSarrest UK office who collected the award at London’s City Hall. “The service has stopped thousands of attacks on our customers’ websites and it has done so seamlessly. So, to be recognised as the best is a huge achievement.”

The awards, launched by Cloud Pro in association with The Cloud Industry Forum and techUk, celebrate the very best of the industry and the ‘security product of the year’ category recognised the considerable innovation and capability that has been brought to market in the UK to further enhance the cloud’s reputation as a secure and trusted environment.

“The calibre of the entries we received this year made the judging process no easy task. The standard of the entries, and ultimate winners, speaks volumes about tech success and innovation in the UK, and serve as a reminder of the dynamic and forward-looking industry we have in this country. DOSarrest fought off strong competition to take home Security Product of the Year, and I’d like to take this opportunity to congratulate them,” said Alex Hilton, CEO of the Cloud Industry Forum.

DOSarrest’s Proxy Defense is a fully managed, cloud-based DDoS protection service. Once a website is running on Proxy Defense, which takes less than 15 minutes to set up, the site is immediately protected 24/7 from any and all DDoS attacks.

To view the entire winner list click below:

http://www.ukcloudawards.co.uk/congratulations-our-winners

About DOSarrest Internet Security:

DOSarrest founded in 2007 in Vancouver, BC, Canada is one of only a couple of companies worldwide to specialize in only cloud based DDoS protection services. Their global client base includes mission critical ecommerce websites in a wide range of business segments including financial, health, media, education and government. Their innovative systems, software and exceptional service have been leading edge for over 7 years now.

Source: http://www.consumerelectronicsnet.com/article/DOSarrest-Wins-Security-Product-of-the-Year-at-the-UK-Cloud-Awards-2014-3090275

A record-breaking distributed denial-of-service (DDoS) attack Monday peaked at 400 Gbit/s, which is about 100 Gbit/s more than the largest previously seen DDoS attack.

DDoS defense firm CloudFlare disclosed the attack — against one of its customers — Monday. “Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year, tweeted CloudFlare CEO Matthew Prince, referring both to attacks that target vulnerabilities in the Network Time Protocol, as well as the March 2013 DDoS attack against Spamhaus, which peaked at a record-breaking 300 Gbit/s.

Prince said Monday’s attack caused trouble “even off our network,” suggesting that some upstream service providers — particularly in Europe — may have experienced slowdowns.

“Someone’s got a big, new cannon. Start of ugly things to come,” Prince tweeted. “These NTP reflection attacks are getting really nasty,” he added.

Who was the target of the attack? Prince declined to disclose the name of the CloudFlare customer being targeted, saying that unlike the attack against Spamhaus, his company didn’t have permission to name names.

CloudFlare’s assessment of the attack bandwidth appeared to be validated by Oles Van Herman, the head of French hosting firm OVH.com, who reported via Twitter that his company was seeing a DDoS attack with a bandwidth “far beyond” 350 Gbit/s. He confirmed that IP addresses involved in the DDoS attack — which according to one report first began Friday — traced back to his firm’s network, but noted, “Our network is the victim, not the source.”

Van Herman’s statement suggests that attackers spoofed the OVH.com IP address — as part of their record-breaking attack against a CloudFlare customer — which squares with how reflection attacks work. “A reflection attack works when an attacker can send a packet with a forged source IP address,” according to an overview of NTP reflection attacks published by CloudFlare programmer John Graham-Cumming. “The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim.”

Many reflection attacks previously targeted domain name system (DNS) servers. But lately, attackers have also begun to target NTP, which — like DNS — “is a simple UDP-based protocol that can be persuaded to return a large reply to a small request,” said Graham-Cumming.

Monday’s record-breaking DDoS attack isn’t the first time that large reflection attacks have been seen in the wild. According to a threat report released last month by DDoS defense firm Black Lotus, while HTTP and HTTPS attacks — including SYN floods, ACK floods, and application-layer attacks — remain the dominant type of DDoS attacks seen in the wild, “distributed reflection denial of service (DrDoS) attacks began to gain ground moving into 2014,” and were being used to support “huge volumetric attacks exceeding 100 Gbit/s in volume.”

Launching a reflection attack isn’t difficult, especially if the attacker taps a toolkit such as DNS Flooder v1.1, which DDoS defense firm Prolexic said first appeared on underground hacking forums about six months ago. In a threat report released Tuesday, the company warned that the DNS-attack toolkit has since been used to launch a number of reflection attacks, with some successfully amplifying the initial attack bandwidth by a factor of 50.

“This toolkit uses a unique method where attackers assign DNS servers with arbitrary names and utilize them as reflectors,” according to Prolexic’s report. “This new technique allows malicious actors to purchase, set up, and use their own DNS servers to launch reflection attacks, without the need to find open and vulnerable DNS servers on the Internet.”

But most DDoS attackers still rely on blended attacks, which gives them a better chance “to find weaknesses in the target’s defenses and to confuse security engineers who may be trying to mitigate the attack,” according to the Black Lotus report.

The number of DDoS attacks that included NTP reflection-attack techniques increased substantially after January 2, when US-CERT released vulnerability advisory CVE-2013-5211, detailing a network time protocol daemon (ntpd) bug that can be exploited to launch DDoS reflection attacks. “Specifically, an attacker can send a spoofed monlist command to a vulnerable ntpd which will respond to the victim at an amplification factor of 58.5,” according to Black Lotus. The firm said that beginning in early January, it saw “a massive shift in the tactics used by attackers,” when they began tapping the NTP vulnerability en masse.

How can businesses better prevent their servers from being used — or abused — by DDoS attackers who target NTP vulnerabilities? “As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7,” according to the US-CERT advisory. “However, in cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software.”

To further help lock down vulnerable systems, research firm Team Cymru has released secure NTP templates for Cisco IOS, Juniper Junos, and Unix. In addition, the NTP Scanning Project provides a free service to scan any server for NTP vulnerabilities.

Source: http://www.informationweek.com/security/attacks-and-breaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d-id/1113787?_mc=sm_iwk_edit

A part of the AfterDawn network was unreachable for 1-2 hours this morning (around 10:00 AM Eastern Time, 15:00 GMT). The outage was caused by a Distributed Denial of Service (DDoS) attack towards our servers that saturated the downlink of our rack cabinet. Most of the English language sites were available again within an hour, but much of the international sites were unreachable for nearly two hours.

DDoS attack a considerable amount if traffic is directed at a server or servers in an attempt to bring down the server or the network infrasturcture. In our case the 1GBps network link of the rack cabinet couldn’t handle all the incoming traffic. In response the traffic to the affected services was blackholed.

The attack did not cause security issues with our services.

We would like to apologize for the inconvenience caused by the outage.

Source: http://www.afterdawn.com/news/article.cfm/2014/01/11/ddos_attack_brings_a_brief_outage_to_afterdawn