DDoS Attacks Archive

Radware announced a new finding in the world of distributed denial-of-service (DDoS) attacks on Wednesday after researchers observed a type of SYN flood that the security company is calling a “Tsunami SYN Flood Attack.”

The Tsunami SYN Flood Attack stands out because it contains about 1,000 bytes per packet, whereas a typical SYN flood contains approximately 40 to 60 bytes per packet, Adrian Crawley, Radware regional director for the UK, told SCMagazine.com in a Thursday email correspondence. According to the Wednesday post, the attack is not UDP-based and is instead carried out over TCP protocol.

“Normally the SYN package is a simple handshake mechanism with a very low data footprint,” Crawley said. “It appears that hackers have found a way to add content to it – up to 1,000 bytes, or 25 times more data per handshake. This is allowed based on TCP RFC, but it is not common practice simply to avoid latency during the initial handshake. But because it is allowed by RFC, hackers can add data – this could be any random data – to the application which requested the initial SYN handshake.”

Radware observed the Tsunami SYN-Flood Attack against an ISP provider and a data center for a gaming company and mitigated the DDoS using its technologies, Crawley said. According to the post, the attacks experienced pulses of about 4 to 5 Gbps in attack traffic.

“It’s possible that this Tsunami SYN Flood was orchestrated by using bot-machines – when a hacker gains unauthorized access to a number of computers,” Crawley said. “An attacker does not have 100 [percent] control over each machine that generates traffic, so as more “bots” were being accessed in the attack, [it] could account for the pulses of attack traffic, rather than a constant stream.”

Being a TCP volumetric flood, the Tsunami SYN Flood will not be mitigated by defenses similar to a UDP-based attack, the post indicates, adding that most typical TCP-based SYN cookie-type protections are not effective.

“An attack like this cannot be mitigated on premise alone,” Crawley said. “Behavioral algorithms are key in both detecting and mitigating these threats, along with implementing a hybrid model of cloud and on-premise mitigation.”

Radware suspects this type of threat will be a new trend in DDoS attacks.

“This is a classic case of cyber-attackers looking at the types of attack tools out there, reinventing it, and deploying it out in the wild to test its effectiveness,” Crawley said. “These two attacks could have been “exploratory” to see how it stacks up to their cyber-defenses. I am sure this will not be the last time we see a Tsunami SYN Flood used as a volumetric attack in the near future.”

Source: http://www.scmagazine.com/researchers-observe-new-type-of-syn-flood-ddos-attack/article/376576/

Whilst the trend for distributed denial of service (DDoS) attacks has been towards larger and larger (aka volumetric) attacks in recent years, a new report just published claims to show that slow-and-low, with smart, short IP bursts, is now a lot more commonplace.

For its third annual set of research, Neustar interviewed IT professionals from around 450 companies, concluding that business are now seeing a more unstable and complex landscape.

Over the last year, says the report, DDoS attacks have evolved in terms of their strategy and tactics, with IT professionals seeing increased media reports of ‘smokescreening’ – where criminals use DDoS attacks to distract IT staff while inserting malware to breach bank accounts and customer data.

More than half of attacked companies reported theft of funds, data or intellectual property. Such cyber-attacks are intense but shorter-lived, more surgical than sustained strikes whose goal is extended downtime.

More than 47 percent of respondents said they viewed DDoS attacks as a greater threat than in 2012, whilst another 44 percent believe the problem is just as serious. In 2013, DDoS continued to cripple websites, shut down operations and cost millions of dollars in downtime, customer service and brand damage.

According to Rodney Joffe, Neustar’s senior technologist, when there’s a tremendous storm, most people run around the house making sure all the windows are closed and you have a flashlight ready.

“You’re not worried about anything else. DDoS attacks are similar. They create an all-hands-on-deck mentality, which is understandable but sometimes dangerous,” he said, adding that with DDoS attacks, the stakes are high, as if you are a criminal, why mess around with extortion when you can just go ahead and steal-and on a much greater scale?

Neustar’s analysis also shows a trend towards shorter DDoS attacks, but also more attacks from 1Gbps to 5Gbps – that is, quicker, more concentrated strikes.

“While it’s too soon to say for sure, this could stem from a highly damaging tactic, DDoS smokescreening,” says the report, adding that smokescreening is used to distract IT staff whilst the criminals grab and clone private data to siphon off funds, intellectual property and more.

One solution, concludes the report, is for organisations to install dedicated DDoS protection, as scrambling to find a solution in the midst of an emergency only adds to the chaos-and any intended diversion.According to Sarb Sembhi, a director of Storm Guidance, the report tracks some interesting trends.

“If you look at large companies suffering attacks, it is clear that the DDoS methodologies being used are getting very sophisticated,” he said, adding that a key aspect is that they are often relatively slow – but smart – in nature.
“With larger companies it is clear that the cyber-criminals are doing their research. They are clearly also testing their technology with smaller companies, and then using those companies’ IT systems as their own assets to launch other attacks,” he said.

Sembhi went on to say that his observations also suggest that larger companies are now starting to install layers of protection – as the report recommends – to remediate against a DDoS attack when it takes place.

Source : http://www.scmagazineuk.com/ddos-attacks-slow-and-smart-is-the-order-of-the-day/article/376283/

Attackers have been leveraging Shellshockvulnerabilities to deliver malware since the issue was disclosed in late September, and now researchers with Trend Micro have observed a Bash bug payload – detected as TROJ_BASHKAI.SM – downloading the source code of KAITEN malware.

KAITEN is an older Internet Relay Chat (IRC)-controlled malware that is typically used to carry out distributed denial-of-service (DDoS) attacks, so spreading the infection can help the attackers bring down targeted organizations, according to a Sunday Trend Micro post.

“The purpose is to add compromised systems to botnets,” Christopher Budd, global threat communications manager with Trend Micro, told SCMagazine.com in a Monday email correspondence. “In this case these are botnets primarily focused on launching DDoS attacks.”

Getting KAITEN on the system – Linux/UNIX and Mac OS X systems are at risk, Budd said – is not a direct process.

TROJ_BASHKAI.SM connects to two URLs when executed, according to the post. The first URL downloads the KAITEN source code, which is compiled using the gcc compiler and ultimately builds an executable file detected as ELF_KAITEN.SM.

Compiling ensures proper execution of the malware because, if downloaded directly as an executable, the file runs the risk of having compatibility issues with different Linux OS distributions, the post indicates. Furthermore, the file will evade network security systems that only scan for executables.

ELF_KAITEN.SM connects to an IRC server at x[dot]secureshellz[dot]net, joins IRC channel #pwn, and awaits commands, according to the post. Some commands include perform UDP flood, perform SYN flood, download files, send raw IRC command, start remote shell, perform PUCH-ACK flood, and disable, enable, terminate client.

When TROJ_BASHKAI.SM connects to the second URL, KAITEN source code is downloaded and similarly compiled into ELF_KAITEN.A, which is essentially the same as ELF_KAITEN.SM except that it connects to linksys[dot]secureshellz[dot]net[colon]25 and to channel #shellshock, the post indicates.


Source: http://www.scmagazine.com/bash-bug-payload-downloads-kaiten-malware/article/375650/

DDoS zombie army found in the wild hours after flaw surfaces

Mere hours after its discovery, the Shell Shock Bash vulnerability was exploited by an attacker to build a botnet.

The bot was discovered by researcher known as Yinette, who reported it on her Github account and said it appeared to be remotely controlled by miscreants.

Rapid 7 researcher Jen Ellis noted in a blog the discovery of the distributed denial of service bot, and described the Shellshock bug in detail.

“The vulnerability looks pretty awful at first glance, but most systems with Bash installed will NOT be remotely exploitable as a result of this issue,” Ellis said.

“In order to exploit this flaw, an attacker would need the ability to send a malicious environment variable to a program interacting with the network and this program would have to be implemented in Bash, or spawn a sub-command using Bash.

“The most commonly exposed vector is likely going to be legacy web applications that use the standard CGI implementation. On multi-user systems, setuid applications that spawn ‘safe’ commands on behalf of the user may also be subverted using this flaw.”

Attackers that could achieve exploitation would gain the ability to execute arbitrary commands at the same privilege level as the affected process, she said.

Ellis like other security researchers said there was not enough detail yet available to determine the scope of the impact, but the discovery of a botnet hours after news of Shell Shock broke was a concerning sign.

She said the simplest action was to roll out Bash patches as soon as they were released including any partial fixes, and to stuff end-of-life wares behind secure firewalls.

News of the bot comes as a fix released by Red Hat was found to be incomplete – although people are urged to apply the patch to thwart most attacks on at-risk systems, another patch is expected soon to close up the hole for good.

Red Hat security engineer Huzaifa Sidhpurwala said Red Hat became aware of the problem with the initial fix, an issue that was also raised by infosec bods on Twitter.

“Red Hat has become aware that the patches shipped for this issue are incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions,” Sidhpurwala said, noting details of a workaround.

Metasploit punters could obtain the module released yesterday to detect vulnerability to Shell Shock for both the free and paid versions of the software.

Source: http://www.theregister.co.uk/2014/09/26/bad_guy_builds_beastly_bash_botnet/

A worrisome trend has been spotted recently of continuous DDoS attacks. After the Lizard Squad attack against Destiny and Call of Duty servers, the researchers confirmed a high volume of attacks that happened in the first six months of 2014. The players that suffered the attack were booted from the servers right in the middle of their game, when an error message occurred. The access to the game was restricted for several hours and the players complained about it, threatening to ask for their money back.

The trend of these DDoS attacks is likely to go on for two main reasons – the access to DDoS service solutions and the widespread coverage of the attacks. That is why the website operators need to put up defenses against the DDoS attacks.

DDoS attack duration

These attacks are short in duration and are repeated on a frequent basis. Approximately 90 % of the attacks that have been detected during that period of time lasted for less than half an hour. According to the experts, the ongoing trend is for attacks towards latency-sensitive websites including hosting service, online gaming and eCommerice. That is why these websites should apply different security solutions with rapid response.

DDoS attack strength
The attacks are of high rate and high volume. For example the DDoS traffic volume increased with one third reaching more than 500Mbps. Five percent of the DDoS traffic volume even reached up to 4Gbps. In the first half of 2014 more than 50% of the DDoS attacks were above 0.2Mpps, which is a 16 % increase. At the same time more than 2% of DDoS attacks were started at 3.2Mpps rate and above.

DDoS attack methods

DDoS attack methods
DDoS attacks are characterized with three main methods, namely DNS Flood, TCP Flood and HTTP Flood. The top three attack types form 85 % of all the attacks. The most popular method used are the DNS Flood attacks making 42 % of all the attacks noticed. The number of the HTTP Flood and the DNS Flood attacks has decreased, while at the same time the TCP Flood attacks grew substantially.

The ISPs attacks
The researchers found out that the number of the ISPs attacks has also increased by 87 %, the online gaming attacks increased by 60 % and the enterprises attacks increased by 100 %.

DDoS attacks of high-frequency

The DDoS attacks turned out to be one of the largest and longest, as well as the ones with highest frequency. The longest of all single attacks lasted for almost 12 days, while the largest single attack as far as packet-per-second was hit at 23 million pps volume.

At the same time, more than 40 % of the victims were targeted by the attack many times, and one in every 40 victims was hit repeatedly for more than 10 times. The highest frequency of attacks that has been noticed by one victim reached 68 separate DDoS attacks.

Source: http://sensorstechforum.com/ddos-attacks-gaming-sites/