DDoS Archive

VANCOUVER, British Columbia, March 19, 2019 /PRNewswire/ — DOSarrest Internet Security announced today that they have released a new service offering called DOSarrest Traffic Analyzer (DTA). This new service allows subscribers to send their Netflow, Sflow or Jflow network data from their routers and switches to DOSarrest’s Big Data cluster, then login to their portal and graphically see what types and volumes of traffic are flowing in and out of their networks in almost real-time. Using this traffic intelligence, network operators can pinpoint the cause of any congestion, create their own ACLs to white-list or black-list any malicious networks. It gives engineers the intelligence they need to understand how their network is being used and for what purpose.

Some of the real-time graphical and historical information available in the dashboard is

Top 10 Source Countries
Top 10 Source Networks
Top 10 Source ASNs
Top 10 Source Netblocks
Top 10 Destination IPs
Top 10 Destination IPs
Top 10 Protocols and Ports

DOSarrest CTO, Jag Bains states, “I have been running Internet backbones for over 20 years and having something that is this cost effective has always been a problem, most solutions require expensive hardware and licensing or extensive software development. Setup is easy with DTA, just add 1 line to the router config and you’re done.”

This new service can also be combined with DOSarrest’s existing DDoS protection for network infrastructure service, where customers, using the same dashboard can automatically stop any DDoS attack on a customer’s data center or corporate network.

CEO Mark Teolis adds, “This service is really in its infancy, we are already working on version 2 and we plan on releasing a new version every 90 days thereafter. Once the network flow information is in the big data platform, there’s so much that can be done to extract network intelligence, it’s almost impossible to predict today what and how it can help network operators going forward. We are starting to test with some machine learning models to see what it can do.”

About DOSarrest Internet Security:
DOSarrest founded in 2007 in Vancouver, B.C., Canada specializes in fully managed cloud based Internet security services including DDoS protection services, Data Center Defender (DCD), Web Application Firewall (WAF), DDoS Attack testing, as well as cloud based global load balancing.

More information at http://www.DOSarrest.com

Source: https://www.prnewswire.com/news-releases/dosarrest-launches-new-cloud-based-network-traffic-analyzer-service-300814472.html

A new Mirai variant comes with eleven new exploits, the enterprise WePresent WiPG-1000 Wireless Presentation system and the LG Supersign TV being the most notable new devices being targeted.

A previous report by Palo Alto Networks’ Unit 42 from September saw a strain of the Mirai botnet switching targets to attack Apache Struts servers using an exploit also employed during last year’s Equifax breach, while a new Gafgyt version was observed while assailing SonicWall firewalls, as part of a larger move against enterprise assets.

In both those instances, the Unit 42 security researchers saw exploits of older and already patched vulnerabilities used in the attacks, hinting at the threat actors trying to make their work easier by compromising unpatched devices impacted by severe security flaws such as the CVE-2017-5638 for Apache Struts.

Mirai attacks against enterprise devices mounting up

This time, as previously mentioned, the researchers found that, besides its usual marks represented by routers, network video cameras, modem routers, and wireless controllers, the Mirai version detected during January 2019 is now also scanning for and exploiting LG Supersign TVs and WePresent WiPG-1000 Wireless Presentation systems present in enterprise environments.

On top of that, with the 11 new exploits added by its masters to be used in the attacks, the total now reaches 27. As further discovered by Unit 42, the botnet’s malicious payload is hosted on a Colombian company’s server which, ironically, provides “electronic security, integration and alarm monitoring” services.

“These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks,” according to Unit 42.

Vulnerability Affected Devices
CVE-2018-17173 LG Supersign TVs
WePresent WiPG-1000 Command Injection WePresent WiPG-1000 Wireless Presentation systems
DLink DCS-930L Remote Command Execution DLink DCS-930L Network Video Cameras
DLink diagnostic.php Command Execution DLink DIR-645, DIR-815 Routers
Zyxel P660HN Remote Command Execution Zyxel P660HN-T routers
CVE-2016-1555 Netgear WG102, WG103, WN604, WNDAP350, WNDAP360, WNAP320, WNAP210, WNDAP660, WNDAP620 devices
CVE-2017-6077, CVE-2017-6334 Netgear DGN2200 N300 Wireless ADSL2+ Modem Routers
Netgear Prosafe Remote Command Execution Netgear Prosafe WC9500, WC7600, WC7520 Wireless Controllers

                                                                         Newly added exploits

The new Mirai variant spotted by Unit 42 also comes with a handful of new features:

Mirai is a self-propagating botnet created by Paras Jha, Josiah White, and Dalton Norman, originally designed to target Internet of Things (IoT) devices such as routers, digital video recorders, and IP cameras, transforming them into “bots” upon successful compromise which can later be used as sources for large-scale Distributed Denial of Service attacks.

During 2016, some malicious actors were advertising huge Mirai botnets of hundreds of thousands of infected devices capable of DDoS attacks over 650Gbps and managing to impact hundreds of thousands of devices [1, 2] during a single campaign.

Mirai still going strong despite creators’ getting caught

It all started after Jha posted the Mirai’s source code on a hacking forum during 2016 and, since then, other bad actors have used to create numerous other botnets using the code he shared as a starting point, most of them being on at least the same level of sophistication but, once in a while, adding newer and more complex attack tools [1, 2, 3, 4, 5, 6].

While their “masterpiece” was and is being improved by others and it still going strong as proven by Unit 42’s newest report on the new Mirai variant, Jha, White, and Norman were indicted and pleaded guilty for their role in the creation of the malware during December 2018, after Jha was first questioned by the FBI in January 2017 and the US authorities charged all three of them in May 2017.

Paras Jha was sentenced during October and ordered “to pay $8.6 million in restitution and serve six months of home incarceration” according to a DoJ release from October 26, 2018.

 The group behind Mirai was sentenced to serve a five-year period of probation and do 2,500 hours of community service, as well as pay $127,000 as restitution while also having to abandon the cryptocurrency seized during the investigation. Jail time was removed from the sentence after they assisted the FBI in other cybercriminal investigations.
Source: https://www.bleepingcomputer.com/news/security/new-mirai-variant-comes-with-27-exploits-targets-enterprise-devices/

Hackers are increasingly trying to steal data instead of money from victims, according to Positive Technologies.

DDoS attacks are becoming more powerful, according to a Monday report from Positive Technologies. The year 2018 saw the two biggest DDoS attacks in history, reaching 1.35 and 1.7 terabits per second, with hackers using memcached servers to amplify their strike, the report found.

Government institutions and IT companies were the most common targets of DDoS attacks in Q4 2018, according to the report.

Cybercriminals are increasingly motivated by data theft, rather than solely direct monetary theft. Of all attacks in 2018, 42% were motivated by access to information, 41% by financial profit, 15% by hacktivism, and 2% by cyberwar, the report found.

However, it should be noted that many hackers steal data to later steal money, blackmail someone, or sell it on the Dark Web, it noted. Hacking a computer system can also be a first step in a major fraud scheme, or tool in a cyberwar, the report said.

Malware was used in 56% of all attacks, as malicious software is increasingly available, reducing the barrier to entry for criminals, according to the report.

The number of unique cybersecurity incidents grew by 27% in 2018 over 2017, with no signs of slowing down, it noted.

Cybersecurity predictions

Positive Technologies researchers made the following predictions for the rest of 2019 when it comes to the cybersecurity landscape:

  • DDoS attacks will become more powerful because of the growth of botnets and use of new techniques and exploits. The growing malware marketplace will also make it easier for even low-skill hackers to complete attacks.
  • Data theft attacks will continue to grow, as criminals hack poorly protected systems to steal personal, medical, and payment information. Businesses that lack strong security measures, including service companies, educational institutions, healthcare institutions, and retailers, will be particularly at risk.
  • Cryptomining attacks will continue to be less profitable than they were in the past, and will continue to decline if cryptocurrency prices do as well.

Source: https://www.techrepublic.com/article/ddos-attacks-on-the-rise-largest-attack-ever-hit-1-7-tbsecond/

Yesterday, at about 11am EST, a hashtag started trending on Twitter: #Facebookdown. The social media site and its sister, Instagram, were suffering an outage. Some users weren’t able to log in to their accounts at all while others were experiencing limited functionality.

It was the worst disruption to the platform since 2008 when Facebook user numbers were 150 million – compared with 2.3bn monthly users currently on the social network.

During and after the outage, speculation was rife about a cyber-attack. After all, the social network has had a bad year that has seen it be a victim of several successful hacks and data leaks.

 Much of the speculation centres around whether Facebook could have been the victim of a distributed denial of service (DDoS) attack, where a website is taken online because an attacker is flooding it with traffic. Facebook strongly denies this.

What we know so far

Facebook has responded. A spokesperson told me: “We’re aware that some people are currently having trouble accessing the Facebook family of apps. We’re focused on working to resolve the issue as soon as possible, but can confirm the issue is not related to a DDoS attack.”

But what else could it be? Suggestions range from a simple misconfiguration error, to a planned cyber-attack by a malicious actor.

The case for

Only time will tell the real reason for the outage, but experts don’t dismiss the idea that a malicious actor could be at fault. “Despite initial reports that the issues at Facebook and Instagram have been caused by an overloaded data server, there is still every possibility that these outages could be the result of malicious actors,” says Dr Max Eiza, lecturer in computing at the University of Central Lancashire.

Dr Eiza points out that it has previously “taken weeks” for tech giants to own up to the fact that system outages have been the result of DoS attacks (something which Facebook strongly denies). However, says Dr Eiza, until a full investigation has been conducted, it’s impossible to rule this out.

And even if this issue is the result of internal failures, Dr Eiza warns that there is still a chance that malicious actors could have seized this downtime to get hold of data. “There’s every possibility that the data of Facebook and Instagram users could be at risk.”

Edward Whittingham – a former police officer and qualified solicitor, who is now the MD of The Defence Works – is yet to be convinced by Facebook’s denial. “Facebook have flat out denied that their outage could be caused by a distributed denial of service attack but I’m yet to be convinced – especially given their very vague explanations,” he says.

Indeed, Whittingham says the outage “has all of the hallmarks of a DDoS attack”, given that the sole purpose of these types of attacks is to bring down entire websites.

However, he also points out that Facebook should be well guarded against these types of attacks. “They will use such incredibly huge volumes of bandwidth it’s perhaps difficult to see how they couldn’t absorb even a monumental DDoS attack.”

He also questions what else could be lurking behind the scenes. “I suspect that this could well be an internal issue but, in the absence of any other evidence, who’s to say this internal issue wasn’t caused by some sort of attack – whether it be phishing, social engineering or otherwise.  After all, Facebook would make for a pretty big target if someone were to be successful.”

So, who would want to attack Facebook? If it was a cyber-attack, there are a number of potential threat actors who could be responsible, Dr Guy Bunker, CTO at Clearswift says, including nation-states or a group sponsored by a nation-state. “There has been a lot of media attention on Facebook (and others) over their influence in politics with voting. Taking down the Facebook network shows just who is in control – and in this case, it isn’t Facebook. However, there is no (current) sign that this was a cyber-attack,” he points out.

Christopher Moses, director intelligence and investigations at Blackstone Consultancy says the chance that it suffered a massive DDoS “is remote but not impossible”.

He adds: “Unfortunately, it is far too early to say, so conspiracy theorists can stand down for the moment and I suspect that Facebook’s PR machine is kicking into overdrive to minimise the affect of the outage.”

The case against

It’s not a surprise that speculation is rampant about a security issue, given Facebook’s previous track record. But Tim Mackey, senior technical evangelist at Synopsys suspects the real reason “will be more mundane”.

Among the reasons for the outage, he suggests: “Perhaps a misconfiguration of some software, perhaps a hardware issue, or maybe simply a software update gone wrong are far more likely causes.”

Dr Bunker says the outage it is far more likely to be a mistake by someone  – an administrator for example-  inside the organization. “Someone made a configuration change which ended up having a knock-on effect, which in turn took down the systems.”

Alternatively, he suggests it could have also been a reaction to something seen, such as someone attempting to breach the network – “where the decision was that it was better to take the network down to resolve the issue rather than have a potential breach”.

He explains: “These days networks are sufficiently complex that segregation is so difficult – particularly large cloud applications – that it becomes easier to shut everything down than run the risk of something ‘getting in’ and infecting the entire network.”

The outage will likely end up being an issue with either internal IT infrastructure or a network supplier’s connectivity, says Naaman Hart, cloud services security architect at Digital Guardian. He also questions why a service “as large and public as Facebook” isn’t fault tolerant.  “If every other service in the region were down, fair enough, but this looks like it just impacts Facebook and its child entities.”

To conclude

Of course, it’s impossible to answer the question definitively. But what’s always important in cases such as these is transparency. Facebook has been shady in the past with multiple accusations that it is abusing user data. It’s therefore important that it does update users with the reason for the outage, with specifics, as soon as it has completed its investigation.

“I do hope that Facebook follows radical transparency and details the real cause of this outage,” says Mackey. “Doing so would go a long way in communicating that privacy can continue to be trusted on their platform. It would also provide other organizations with information they can use to avoid a similar situation and improve our collective security online.”

Source: https://www.forbes.com/sites/kateoflahertyuk/2019/03/14/was-the-facebook-outage-a-cyber-attack/#711c0eeb5223

Most organizations understand that DDoS attacks are disruptive and potentially damaging.  But many are also unaware of just how quickly the DDoS landscape has changed over the past two years, and underestimate how significant the risk from the current generation of attacks has become to the operation of their business. Here, I’m going to set the record straight about seven of the biggest misconceptions that I hear about DDoS attacks.

  • There are more important security issues than DDoS that need to be resolved first.

When it comes to cyber-attacks, the media focuses on major hacks, data breaches and ransomware incidents. DDoS attacks are growing rapidly in scale and severity: the number of attacks grew by 71% in Q3 2018 alone, to an average of over 175 attacks per day, while the average attack volume more than doubled according to the Link11 DDoS Report. The number of devastating examples is large. In late 2017, seven of the UK’s biggest banks were forced to reduce operations or shut down entire systems following a DDoS attack, costing hundreds of thousands of pounds according the UK National Crime Agency.  And in 2018, online services from several Dutch banks and numerous other financial and government services in the Netherlands were brought to a standstill in January and May. These attacks were launched using Webstresser.org, the world’s largest provider of DDoS-on-demand, which sold attack services for as little as £11.  It costs a criminal almost nothing and requires little to no technical expertise to mount an attack, but it costs a company a great deal to fix the damage they cause.

What’s more, DDoS attacks are often used as a distraction, to divert IT teams’ attention away from attempts to breach corporate networks.  As such, dealing with DDoS attacks should be regarded as a priority, not a secondary consideration.

  • I know that DDoS attacks are common, but I’ve never been affected before

Many companies underestimate the risk of being hit by DDoS because they have never been hit before. The truth is that oftentimes only one attack is already more than enough to cause severe damage in the value chain. This potentially affects any company that is connected to the Internet in any way. Overload attacks not only affect websites, but also all other web services such as e-mail communication, intranet, customer connections, supplier and workflow systems, and more.  Today, customers and partners expect 100% availability. Besides the business interruption due to production loss and recovery costs, reputational damage is a common consequence. Total costs for the incidents can quickly go into the millions. On the other hand, the costs for proactive protection against these kinds of attacks are comparably negligible.

  • There are many providers offering a solution, so DDoS is an easy problem to fix

DDoS is not a new topic, which means that many of the available solutions are outdated. Only a few provider deliver up-to-date, real-time protection that secures against all types of attacks on all network layers. Only a handful of providers can react immediately in an emergency, i.e. if the attack has already taken place, and quickly provide the right protection to organizations.

  • Reacting to an attack within a few minutes is sufficient

Ideally, the use of intelligent defence systems and always-on protection should prevent a failure in the first place. However, if a new attack pattern appears, the first 30 seconds are crucial. Even if an attack is mitigated after just one minute, subsequent IP connections will already be interrupted (for example, collapsing an IPSec tunnel) and it may take several hours until availability is restored. Although this prevents follow-up actions that can lead to infiltration and data theft, the economic costs of lost revenue, loss of productivity and damage to reputation can still be immense. Therefore, it is vital for organizations to implement a solution that guarantees mitigation in a matter of seconds.

  • We have our own 24/7 Security Operations Center (SOC), so we are immune

In the flood of security alerts in the SOC it is likely that some events are overlooked or not brought into context with other activities. Furthermore, the sheer amount of necessary analyses and measures is not feasible with people. Only a fully automated process that works based on intelligent and globally networked systems, and which precludes human errors in the process chain can ensure comprehensive security. Industrial-scale attacks can only be countered with industrial-scale defences.

  • I am already in the cloud and am automatically protected by my cloud provider

The major cloud providers offer some basic DDoS protections. But this is not aimed at preventing targeted, mega-scale attacks. In late 2016, the massive Dyn DDoS attack caused global disruption to public cloud services.  In addition, cloud applications are easily attacked by other applications from within the same cloud. Therefore, when running business-critical applications in the cloud, it is important to consider deploying additional DDoS protections to those applications.

  • I have invested in hardware that offers protection

Although these systems ensure high infrastructure performance, they only provide static protection against DDoS attacks. This means that the DDoS protection there can only be as good as the current version of the filtering software – which is already outdated as soon as it is released. This approach might have worked a couple of years ago. Nowadays, however, with ever more complex and powerful attacks that combine several vectors and target multiple layers at the same time, this kind of protection is unsufficient. Effective protection is only possible via intelligent and networked systems which use advanced machine-learning techniques to analyse traffic and build a profile of legitimate traffic.

In conclusion, DDoS protection needs to be seen as an essential part of the IT security infrastructure. Considering effective solutions in the event of an attack is too late. Through educating about misconceptions in this context and implementing the measures listed in this text, companies can position themselves sustainably in terms of their business continuity strategy.

Source: https://www.informationsecuritybuzz.com/articles/7-misconceptions-about-ddos-attacks-that-could-jeopardize-your-business/