DDoS Attacks Archive

When hackers take down a website, their weapon of choice is often a less-than-subtle technique known as a denial of service attack, which merely overwhelms a site’ servers with junk traffic. But the trick that the hacker group known as the Syrian Electronic Army pulled against the New York Times, Twitter, and the Huffington Post UK Tuesday seems to have been very different–and potentially far more invasive.

On Tuesday evening, Australian domain registrar Melbourne IT confirmed the security community’s suspicions that it was the weak link that allowed the outages of the Times’ website, and very likely the attacks on Twitter and the Huffington Post as well. Melbourne IT, like other domain registrars, serves as an authority for the Web’s domain name system, (DNS) telling DNS servers how to translate the domain names users type into their browsers or click on into the numerical IP addresses of the servers that host those websites. According to Melbourne IT, one of its resellers’ accounts was compromised, giving the attackers the ability to change which DNS servers resolve their clients’ sites, essentially hijacking the sites’ traffic potentially including all web traffic and email. (The battle for control of the domains still continues for the Times–NYTimes.com remained offline as of Wednesday night.)

“We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies,” Melbourne IT’s head of corporate communications wrote to me in an emailed statement.

The pro-Syrian government provocateur hackers known as the Syrian Electronic Army, however, haven’t left the attack’s source to the imagination. “Hi @Twitter, look at your domain, its owned by #SEA :)” the group tweeted Tuesday afternoon, along with the link to Twitter’s domain information, showing that they had changed it to the SEA’s. The group also temporarily replaced the Times’ site with a page showing their logo, and a message that read “Hacked by Syrian Electronic Army.”

That level of takeover is far more serious than merely knocking a site offline or defacing it, points out David Ulevitch, who runs the DNS service OpenDNS and monitored the day’s hijinks. “This isn’t just an embarrassment for the New York Times, but a serious security threat,” he says. He suggests that confidential emails–say, from sensitive sources in Syria–could have been compromised, too. “If email could be redirected and captured by the Syrian Electronic Army, you’ve blown your confidential status.”

Worse yet, an attacker could use the trick to set up a fake version of the site, complete with a seemingly valid SSL encryption certificate, and siphon users’ credentials, suggests HD Moore, chief research officer at the security firm Rapid7. “You wouldn’t have to man-in-the-middle a site for very long to get a crapload of credentials,” he says. “They could have harvested for 15 minutes and gotten 10,000 passwords.”

I’ve reached out to the New York Times and Twitter for more information about the extent of these potential breaches, and I’ll update this post if I hear back from them.

Update: Twitter security spokesperson Jim Prosser writes back that the Melbourne IT attackers had only limited access to its domain registration details and couldn’t have pulled off the scenario that Moore describes, only changed the “Whois” details. “The perpetrators weren’t able to change the actual DNS address of the domain — just the written registration details,” writes Prosser. He declined to comment further on the record, and referred me to Twitter’s official statement on the hack, which states that “no Twitter user information was affected by this incident.”

Moore points out that Melbourne IT may have been lucky that its Syrian attackers limited their attack to Twitter, the Times, and the Huffington Post UK. In fact, 26 of the top 250 sites on the Web based on Alexa rankings use Melbourne IT as a domain registrar, including Google.com, Microsoft.com, Yahoo.com, Aol.com, and Adobe.com. It’s not clear why the hackers didn’t use their access to go after more of those high-profile sites. “Someone could have gone much further with this and had a much more devastating impact,” he says.

In its statement, Melbourne IT says that some of its clients were protected by a “registry lock” feature that would require further verification for any changes to a domain registry. “For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including .com,” the statement reads. “Some of the domain names targeted on the reseller account had these lock features active and were thus not affected.”

But Moore says he checked Twitter.com’s domain registration as the attack took place and could see that it had implemented what looked like that “lock” safeguard, which seems to have failed to prevent the domain hijacking. “Whatever Twitter did, it didn’t make a difference,” he says. (Update: As I noted above, Twitter disputes this.)

The Syrian Electronic Army, which supports Syrian dictator Bashar Al-Assad’s regime in the country’s widening civil war, has emerged over the last year as a frequent disruptive force online. Using phishing attacks, it’s hijacked the Twitter feeds of Justin Bieber, Angelina Jolie, the BBC, CBS, NPR, and even the Onion. In April, it used the AP feed to deliver false news that President Obama had been injured in an explosion at the White House, causing a temporary 150 point dive in the stock market’s Dow Jones Industrial Average.

Though the Times continues to battle its Syrian foes, Moore argues that the SEA could have used its Melbourne IT attack to inflict far more serious damage than any of those previous hacks. “This comes off as kind of clumsy and a waste of a serious bug,” he says. “It could have gone a whole lot worse.”

Source: http://www.forbes.com/sites/andygreenberg/2013/08/28/syrian-hack-of-nytimes-com-and-twitter-could-have-inflicted-much-more-than-mere-embarrassment/





Early Sunday morning, part of the Chinese Internet went down in what the government is calling the largest denial-of-service attack it has ever faced. According to the China Internet Network Information Center, the attack began at 2 a.m. Sunday morning and was followed by an even more intense attack at 4 a.m. The attack was aimed at the registry that allows users to access sites with the extension “.cn,”. As originally reported by the Wall Street Journal, the attack is perhaps more an indicator of just how susceptible the global Internet infrastructure is to these types of attacks.

China has one of the most sophisticated filtering systems in the world, period. Furthermore, China’s government is rated by analysts as having one of the highest abilities to carry out cyber attacks. Despite both of these points, China is not capable of defending itself from an attack.

DOS (Denial of Service) or DDoS (Distributed Denial of Service) attacks are the single largest threat to our Internet and the Internet of Things. The more our world becomes connected and dependent on the Internet, the more opportunities there are to thwart everyday lifestyle necessities in our IoT. Here are some of the more recent examples:

Latest DOS attacks around the world


  • Anonymous Demands Recognition of DDoS as a Legal Form of Protest

We all know that how annoying DDoS is, and just how inconvenient it becomes to access a much-needed site. While we may curse the people behind DDoS attacks, the renowned hacktivist Anonymous group is looking to get such attacks the status of legal protest.

According to Anonymous, DDoS is done to send a message to the affected party, which is why they’ve petitioned the Obama administration to recognize DDoS as a legal form of protest. In the petition, the Anonymous group also demanded that anyone who has been jailed for participating in a DDoS attack should be immediately released, and anything related to the attack should be wiped from their criminal records.

  • FBI Enlists US Bank’s Help To Head Off Iranian Cyber Attacks

In order to combat a wave of cyberattacks that have rattled the US banking industry since last year, the FBI has given certain banking executives extensive briefings of their classified investigations. The collaboration is part of a new policy being initiated by the FBI to try and foster closer cooperation between authorities and the private sector.

  • Did Hackers Take Down NASDAQ?

News emerged that a significant disruption caused the NASDAQ trading market to shut down for more than three hours starting at 9:20am PST on August 22nd. The problem manifested itself in the quote processing system, prompting the first awareness of the issue.

This seems eerily reminiscent of another NASDAQ incident in May 2013 during which Facebook’s IPO was bungled due to a “software glitch”. That incident prompted a $10 million fine for NASDAQ, but more importantly a rising lack of confidence has emerged in investor sentiment surrounding the technical elements of today’s trading systems. People have questioned whether the structure itself is flawed, and whether there is an overabundance of dependence on technology baked into both trading strategies and automated trading systems.

  • CyberBunker Launches “World’s Largest” DDoS Attack, Slows Down The Entire Internet

A massive cyberattack launched by the Dutch web hosting company CyberBunker has caused global disruption of the web, slowing down internet speeds for millions of users across the world, according to a BBC report. CyberBunker launched an all-out assault, described by the BBC as the world’s biggest ever cyberattack, on the self-appointed spam-fighting company Spamhaus, which maintains a blacklist used by email providers to filter out spam.

  • Bitcoin Under Attack? Dwolla & Mt. Gox Both Hit With DDoS Attacks Overnight

Another day, another DDoS attack. This time round, it’s the turn of alternative online payments provider Dwolla, which saw its website taken offline for a brief period of time. The site has since come back online, but the company said in a statement that the some users may still experience issues as the attack remains ongoing.

Source: http://siliconangle.com/blog/2013/08/26/5-notorious-ddos-attacks-in-2013-big-problem-for-the-internet-of-things/?angle=silicon

A security researcher picks apart the shady world of Booter services that offer distributed denial of service attacks as a service.

A security researcher speaking at the Black Hat conference last week has exposed the malicious underworld of Booter services that offers paying customers distributed denial of service (DDoS) attack capabilities on demand.
Lance James, chief scientist at Vigilant, explained to eWEEK that he got pulled into an investigation into the world of Booter services by his friend, security blogger Brian Krebs. Krebs had been the victim of a Booter service attack and was looking for some answers.
“Basically a Booter is a Web-based service that does DDoS for hire at very low prices and is very hard to take down,” James said. “They are marketed toward script kiddies, and many DDoS attacks that have been in the news have been done via these services.”
James was able to identify the suspected Booter site via Website log files and began to trace the activity of the individual who specifically attacked Krebs. Further investigation revealed that the same individual was also attacking other sites, including whitehouse.gov and the Ars Technica Website.
After James was able to identify the Booter service and directly connect it to the attacks against Krebs, the two were able to help shut down the Booter service itself.
James said the data was handed off to law enforcement, and the specific Booter service that initially attacked Krebs was shut down within a short period of time. The timing challenge in taking down the Booter service has to do with the fact that the Internet service provider (ISP) that the service looks like it is being hosted from is not where the Booter service actually is located.
“There is a service in the middle that protects the Booter sites with turnkey Web security routing,” James explained. “In that case, they operate similar to the legal confines of Facebook and Twitter, and they require subpoenas and warrants to shut it all down.”
How Booter Services Work
The challenge in locating the root source of the Booter service is also to due to the operational complexity of how the Booter works.
Booter services typically have a Web front end, where the end user who wants to target a given site is provided with an interface. James explained that the Web front end is just the control panel, while the underlying back end with the hosts that execute the DDoS attack is located elsewhere.
“So to the underlying ISP that is involved, it doesn’t look like anything that is malicious,” James said. “There is no DDoS traffic coming directly from the ISP.”
The DDoS traffic comes from a separate infrastructure that includes data servers all over the world that the Booter services connect to via proxies.
“So when you actually request a Booter service takedown, it’s very difficult because the ISP on which the site is hosted has plausible deniability,” James said. “They can say, ‘We haven’t seen them do anything illegal from our site,’ so you really need to prove that.”
Follow the Money
One of the ways that James was able to help track down the individual behind the Booter service was via the PayPal email address the person was using to get paid for his services. James’ investigation ended up looking at over 40 Booter services, and all of them used PayPal as their payment mechanism.
“A lot of the times to disrupt something, the economic structure has to be disrupted,” James said. “If you look at the motivation—and the motivation is money—you need to disrupt what they are seeking.”
Source: http://www.eweek.com/security/how-do-booters-work-inside-a-ddos-for-hire-attack/

A quarter of UK companies have experienced a distributed denial-of-service (DDoS) attack, with telecoms and e-commerce the most targeted sectors.

According to research by Neustar, 22 per cent of the 381 UK businesses it surveyed had experienced a DDoS attack, of which, 53 per cent of telecoms, 50 per cent of internet/e-commerce and 43 per cent of retail were affected.

Talking to SC Magazine, Susan Warner, market manager for DNS services and DDoS solutions at Neustar, said that there is not a network that has not experienced a DDoS attack and asked what the cost could be if a site is down for a period of time.

She said: “Also consider the impact on IT, how many people are being consumed by a DDoS attack and what are they losing operationally? What we are seeing is a cost impact, but cost and risk management will feel the impact.”

The survey discovered that the IT team would be the hardest hit according to 69 per cent of respondents, while 57 per cent said customer service would feel the effect. In terms of how many people were required to mitigate an attack – 40 per cent said two to five people, 35 per cent said only one person, while 12 per cent said more than ten would be required.

The attack sizes being launched on UK businesses are not big; 40 per cent said that they are less than 100Mbps, while 30 per cent said that they are less than 1Gbps. However, 22 per cent can persist for over a week, although 63 per cent can last less than a day.

Warner said: “When you are being [attacked by a] DDoS constantly, there is an impact on the IT team. DDoS is not just taking down the website and interface, but also [affects] critical communications.”

Asked what companies use to defend against a DDoS attack, 72 per cent said a firewall, 40 per cent a router and 32 per cent switches. A third (34 per cent) has deployed specialist technology – 20 per cent a cloud-based DDoS service, nine per cent IP-based prevention and five per cent DDoS hardware.

Source: For protection against your eCommerce site click here.

A former cloud-networking executive’s advice is for the telecom industry to get going with software-defined networking (SDN) and to do something bigabout distributed denial-of-service (DDoS) attacks.

They aren’t directly related issues, but they were both on the mind of Dennis Brouwer, the afternoon keynoter at POTE on Tuesday. Brouwer recently started his own consulting firm, The Brouwer Group, but he previously launched the Converged Cloud strategy at Savvis and stuck around as a senior vice president after Savvis was acquired by CenturyLink Inc.

On the subject of SDN, Brouwer is a true believer in open-source and thinks carriers will have to embrace it to make sure “that the capabilities that service providers want to fold into their infrastructures become viable.”

The OpenDaylight Foundation is making a run at that, building an open-source SDN framework. Brouwer didn’t directly refer to the number of large vendors involved in OpenDaylight, but he did note that a dynamic SDN ecosystem “can’t be just the usual big providers.”

Some carrier has to come out and champion SDN as well, in a way much bigger than what’s been done so far, he said. Someone has to take the lead by showing what’s possible. It would have to be a carrier with a wide reach, one that owns not just a network but data centers, and maybe mobile networks and some content as well.

Candidates would include the big U.S. carriers now that they’ve acquired cloud operations — Brouwer mentioned Verizon Communications Inc. with its Terramark acquisition, as well as his old CenturyLink home and AT&T Inc., which he noted has done work internally. A sleeper possibility would be Comcast Corp..

Regarding DDoS, Brouwer talked about the attacks becoming more vicious — arriving at speeds that can exceed 60Gbit/s — and harder to trace, since the attack can now come from “everywhere.” Once considered a nuisance, DDoS attacks have become serious, looming threats.

“As you talk with the companies that are being targeted by these attacks, they’re saying, to use the old Jaws analogy, ‘We’re looking for a bigger boat,'” he said.

Companies have dealt with DDoS on their own, but the potential for a national emergency means some kind of federally coordinated response is necessary, Brouwer said. He didn’t say federally mandated. His point was that the companies facing this threat — banks in particular — need to pool and organize their efforts, and find a way to join forces if necessary. Any number of government agencies would be appropriate for that job, Brouwer said.
For protection against your eCommerce site click here.

Source: http://www.lightreading.com/software-defined-networking/how-carriers-should-respond-to-sdn-and-ddos/240154910