DDoS Attacks Archive

Old and cheap modems are now being blamed for Spark’s broadband troubles.

Customers reported slow speeds and dropped connections over the weekend.

Spark now believes cyber criminals have gained access to a number of customer’s modems, and disrupted the network that way.

It has disconnected the affected modems, and contacting customers to discuss solutions.

Meanwhile, denial of service attacks which hobbled Spark’s internet over the weekend are extremely unlikely, according to an industry body.

Internet New Zealand’s work programme director Andrew Cushen says people arriving at work for the first time since Friday should run a virus scan on their computers.

But he doesn’t believe Spark will be a long-term target.

“These attacks are unfortunately quite common on the internet and they are used quite commonly overseas.

“We don’t see them often here in New Zealand, because denial of service attacks usually go after higher profile targets.”

Source: http://www.newstalkzb.co.nz/auckland/news/nbnat/2051865836-further-denial-of-service-attacks-on-spark-unlikely

New study warns of rising smokescreening practice in cyberattacks

The top takeaway of a new study suggests that more and more frequently, distributed denial of service (DDoS) attacks are being used as a smokescreen, distracting organizations while malware or viruses are injected to steal money, data, or intellectual property.

The white paper, the 2014 Neustar Annual DDoS Attacks and Impact Report: A Neustar High-Tech Brief, reveals insights into this trend based on a survey of 440 North American companies, comparing DDoS findings from 2013 to 2012.

Over the last year, the study found, DDoS attacks evolved in strategy and tactics. More than half of attacked companies also reported theft of funds, data, or intellectual property. These cyber-attacks are intense but quick, more surgical in nature than sustained strikes whose goal is to extend downtime.

This year’s survey also demonstrated that the landscape of DDoS attacks is changing. The number of attacks is up, but attack duration is down, meaning that attacks are becoming more intense and harder to catch. Larger attacks are more common, but most attacks still are less than 1 Gbps. Although companies report a greater financial risk during a DDoS outage, most still rely on traditional defenses like firewall, rather than purpose-built solutions like DDoS mitigation hardware or cloud services.

Among the study’s other findings:

  • Virus and malware insertion during DDoS attacks was common, with 47 percent of companies who experienced a DDoS attack and data breach simultaneously reported the installation of a virus or malware.
  • The industry sees DDoS as a growing threat, with 91 percent of high-tech respondents viewing DDoS as a similar or larger threat than just a year ago.
  • 87 percent of companies attacked were hit multiple times.
  • Nearly twice as many businesses were hit: in 2013, 60 percent of companies were DDoS-attacked, up from 35 percent in 2012.  And these attacks were of shorter duration in 2013.
  • Attacks between 1 and 5 Gbps almost tripled.
  • Customer support is the leading area of impact. For 53 percent of tech companies that suffered an outage, customer service was cited as the area most affected, while 47 percent named brand/customer confidence as the most affected.
  • Collectively, non-IT/security groups see the greatest cost increases in the event of a DDoS attack.
  • High-tech revenue losses are in line with those of other sectors. In 2013, DDoS was just as risky for high-tech as for other verticals, with 47 percent reporting revenue risks of more than $50 K per hour and 31 percent hourly risks of more than $100 K. That means that daily revenue risks are often measured in seven figures.

The conclusion of the report is that there is a trend towards shorter DDoS attacks, but also more attacks from 1 to 5 Gbps — quicker, more concentrated strikes, that suggest a growing presence of a highly damaging tactic called DDoS smokescreening.

Smokescreening distracts IT and security teams with a DDoS attack, allowing criminals to grab and clone private data to siphon off funds, intellectual property, and other information.  In one case, thieves used DDoS to steal bank customers’ credentials and drain $9 million from ATMs in just 48 hours. Such crimes have caused the FDIC to warn about DDoS as a diversionary tactic.

The study urges businesses to watch for the warning signs, including shorter, more intense attacks with no extortion or policy demands.  It also counsels them to follow best practices such as not assigning all resources to DDoS mitigation, but dedicating some staff to monitoring entry systems during attacks, making sure everything is patched with up-to-date security and to establish dedicated DDoS protection.

Rodney Joffe, Neustar senior VP and senior technologist notes, “The stakes are much higher. If you’re a criminal, why mess around with extortion when you can just go ahead and steal — and on a much greater scale?”

Source: http://www.bsminfo.com/doc/smokescreening-is-the-latest-danger-in-ddos-attacks-0001

Several gaming servers have been at the receiving end of DDoS attacks over the past several hours. Blizzard’s Battle.net servers, Riot’s League of Legends, Grinding Gear Games’ Path of Exile, and PlayStation Network are among those under attack by a group of hackers calling themselves Lizard Squad.

Several tweets have gone up throughout Saturday evening, in which Lizard Squad has taken responsibility for the attacks. The group started with Blizzard’s servers that include Hearthstone, Diablo 3, World of Warcraft and others. The group quickly spread to League of Legends and Path of Exile before deciding to spread their terror to PlayStation Network. The latter’s outage is not related to the scheduled maintenance set to begin Monday morning.

The situation is ongoing, as the various staffs work hard to get the servers active again.

Source: http://www.shacknews.com/article/85951/blizzard-playstation-network-and-more-under-wide-ddos-attack

Creating a botnet to carry out Distributed Denial of Service attacks (DDoS), is simpler than many people realise. Recently, Incapsula reported an attack they uncovered that involved a profile image associated with comments on a webpage in order to get the user’s browser to carry out a DDoS attack on a target site.

The attacker first injected JavaScript code into the image tag associated with his profile image. He then made comments on the site – the infected image being used as an avatar. When other users navigated to the site, their browser automatically triggers the JavaScript code. When executed, the code creates a hidden iframe on the page, linking to the attackers Command and Control server (C&C), to establish target sites for the DDoS attack. The iframe then sends a GET requests to the target server to conduct the DDoS attack.

A DDoS attack requires a large number of GET requests sent over a short period. This attack reported by Incapsula, sent one GET request to the target site every second. The infected images were placed on a video download site – if unsuspecting users viewed a video for say 30 minutes – every second during that period a GET message was sent to the target site. By placing his infected image on a number of pages hosting different popular videos, the attacker caused 22,000 users to issue a total of 20 million GET requests.

Jeremiah Grossman and Matt Johansen from WhiteHat Security have shown that by bypassing the connection limits of the browser, it is possible for an attacker to scale up and increase the number of simultaneous connections and send out a higher rate of GET requests. They believe that it is possible to send up to 10,000 GET requests per minute from each browser that has been compromised.

These researchers have also shown that this attack can be easily launched through online advertisements. They calculate that it would cost around $500 advertising spend to infect and create a botnet of 1 million browsers. With each browser sending 10,000 GET requests per minute, it would be a most formidable DDoS attack.

When the browser navigates away from the page containing the infected JavaScript, the iframe and the code is automatically removed from the browser with no trace. No malware is left on the PC from this attack – it is a leave-no-trace attack.

In addition to using the botnet to launch a DDoS attack, it is also possible to use it for other purposes such as password hash cracking.

There is no browser-side patch for this attack. Browsers are designed to execute code in this manner. The use of an ad blocker will prevent your browser unwittingly joining a botnet through advertisements.

The ease with which a botnet such as described can be created, would indicate that we can expect this method to be used more often in the future in DDoS attacks.

Source: http://dwaterson.com/2014/04/14/method-to-create-a-botnet-and-carry-out-a-ddos-attack/

The initial months of 2014 saw a dramatic increase in the number of NTP-based distributed denial-of-service (DDoS) attacks, according to multiple DDoS mitigation vendors. But one report cautions that SYN floods are still more likely to cause enterprises damage.

The 2013-2014 DDoS Threat Landscape Report, issued last week by cloud-based DDoS mitigation service provider Incapsula Inc., indicated that as recently as December 2013, there were less than half as many NTP-based DDoS attacks than large SYN floods.

However, that gap may be closing. Websites protected by Incapsula experienced a barrage of NTP-based DDoS attacks in February; overtaking large SYN floods during that period. The company even expanded the scope of its report to take note of the trend. All told, NTP-based attacks made up almost 15% of the network-focused DDoS attacks the company saw against its clients.

Incapsula is not the only DDoS mitigation provider to notice this recent spike in NTP amplification activity. Fort Lauderdale, Fla.-based Prolexic, now owned by Akamai Technologies Inc., saw such attacks against its clients surge 371% in the month of February alone.

The Network Time Protocol (NTP) — an Internet standard that is used to synchronize time across networks of computers — has become an attractive target for attackers because it can be used to amplify DDoS attacks. Client systems ping NTP servers to initiate a time request exchange, with the synchronization typically happening every 10 minutes.

The packets that are sent back from NTP servers to clients can be hundreds of times larger than the initial request comparison, according to a January blog post by DDoS mitigation provider CloudFlare Inc.’s John Graham-Cumming. In comparison, DNS replies, which are typically used in amplification attacks, are limited to only eight times as much bandwidth.

NTP DDoS attacks: A fad or here to stay?

NTP is hardly a new protocol though, so why the attention now?

Igal Zeifman, product evangelist for Redwood Shores, Calif.-based Incapsula, described the use of NTP in DDoS attacks as largely “a fad” resulting from recent successful attacks — and subsequent media attention — that took advantage of the protocol.

The issue dates back to mid-January when US-CERT issued an advisory warning of NTP amplification attacks making use of CVE-2013-5211, which essentially allowed attackers to DDoS targets by using a forged “MON_GETLIST” request. This caused an NTP server to send the attacker a list of potential victims in the form of the last 600 IP addresses connected to the server.

A month later, in a highly publicized affair, CloudFlare fought off an NTP-based amplification DDoS attack against an unnamed client that reportedly hit peak bandwidth of just under 400 Gbps. Days after the CloudFlare incident, Burlington, Mass.-based Arbor Networks Inc. confirmed separately that it had observed an NTP amplification attack hitting peak speeds of 325 Gbps.

Despite the likelihood that more copycat attackers will take advantage of NTP, Zeifman said that enterprises using DDoS protections have no need to panic, though other organizations that don’t employ a third-party provider to handle large-scale DDoS attacks should be wary of such attacks.

“High-volume NTP traffic is immediately suspicious and can almost immediately be disregarded,” said Zeifman. “You don’t need a sophisticated DDoS mitigation service to stop a NTP-driven flood.”

Enterprises should be worried more about typical SYN floods, according to Zeifman, because SYN packets are much more common on any network. This makes it more difficult for even dedicated DDoS mitigation service providers to differentiate between malicious and legitimate traffic.

SYN flooding also remains the most widely used DDoS technique, Ziefman noted. Combined, normal and large-scale SYN floods accounted for half of all the network-based DDoS attacks in Incapsula’s report and large-scale SYN floods alone made up over half of the DDoS attacks that reached peak speeds of 20 Gbps or more.

More worryingly, the report indicates that four out of every five recent DDoS attacks used at least two techniques, Zeifman said, with the combination of normal and large-scale SYN floods making up 75% of those multi-vector DDoS attacks.

A normal SYN flood is based around an attacker sending a large number of SYN packets via fake IP addresses to a server, so the corresponding ACK response is never sent back to complete the TCP three-way handshake — meaning an attacker can take up all of a server’s open connections.

According to Zeifman, large-scale SYN floods, on the other hand, are focused purely on clogging network pipes with overwhelming traffic. The combination of the two techniques makes perfect sense for attackers looking to cover all the bases, he said.

“If DDoS is like breaking into a house, this technique is like trying the front door and the side windows,” said Zeifman. “Attackers are hoping that one of the two is unprotected.”

Source: http://searchsecurity.techtarget.com/news/2240217471/NTP-based-DDoS-attacks-on-the-rise-but-SYN-floods-still-more-perilous