DDoS Attacks Archive

Cloudflare, the backbone of many of the web’s biggest sites, experienced a global outage that left many wondering what could have happened.

The fragility of the internet was exposed yesterday (2 July) when users across the world came across many websites displaying the error message ‘502 Bad Gateway’. Shortly after, social media was flooded with questions as to what caused such an outage across seemingly unconnected sites.

Soon after, Cloudflare, a content delivery and DDoS protection provider, said an error on its part was behind the massive outage. A quick look at the company’s systems status page showed that almost every major city in the world was affected in some way, including Dublin.

23 minutes after Cloudflare confirmed that it was experiencing issues, it announced that it had “implemented a fix”. 35 minutes later, it revealed the cause of the outage.

“We saw a massive spike in CPU that caused primary and secondary systems to fall over,” a statement said. “We shut down the process that was causing the CPU spike. Service restored to normal within ~30 minutes.”

Soon after, it announced that normal operations had resumed. So what could have caused such a major outage so soon after another one that occurred on 24 June?

Testing processes were ‘insufficient in this case’

In a blogpost, Cloudflare CTO John Graham-Cumming was able to reveal that the CPU spike was the result of “bad software deploy that was rolled back”. He stressed that this was not the result of a well-crafted DDoS attack.

“The cause of this outage was deployment of a single misconfigured rule within the Cloudflare Web Application Firewall (WAF) during a routine deployment of new Cloudflare WAF managed rules,” Graham-Cumming said.

“We make software deployments constantly across the network and have automated systems to run test suites, and a procedure for deploying progressively to prevent incidents. Unfortunately, these WAF rules were deployed globally in one go and caused today’s outage.”

He went on to admit that such an outage was “very painful” for customers and that the company’s testing processes were “insufficient in this case”.

This outage was different to the one that occurred on 24 June, which Cloudflare described as the internet having “a small heart attack”. It was revealed that network provider Verizon directed a significant portion of the internet’s traffic to a small company in the US state of Pennsylvania, resulting in a major information pile-up.

Source: https://www.siliconrepublic.com/enterprise/cloudflare-outage-502-bad-gateway-explained

‘DerpTrolling’ group also attacked Dota 2, Battle.net

Another hacker behind attacks on Daybreak Game Company, then known as Sony Online Entertainment, is going to prison. Austin Thompson of Utah will be behind bars for the next 27 months, the U.S. Attorney’s Office for the Southern District of California announced Tuesday.

Thompson, 23, pleaded guilty in November (official charge: “Damage to a Protected Computer”) in connection with attacks in late 2013 against SOE; his group, “DerpTrolling,” was allegedly behind several denial-of-service attacks on online service for several SOE games, plus Battle.net, League of Legends, and Dota 2 in late 2013.

Thompson’s attacks preceded by about six months those of a group calling itself Lizard Squad, which targeted SOE and even made a bomb threat that forced a flight carrying its then-president to land. Thompson was not involved in those crimes.

In early January 2014, whoever was running DerpTrolling’s Twitter account said that federal agents had shown up at their home, but they had escaped through the bathroom. Thompson’s plea agreement said he was in charge of that account.

“Thompson typically used the Twitter account @DerpTrolling to announce that an attack was imminent and then posted ‘scalps’ (screenshots or other photos showing that victims’ servers had been taken down) after the attack,” prosecutors said in a statement.

Thompson will begin serving his sentence Aug. 23. He was also ordered to pay $95,000 in restitution to Daybreak Game Company.

Although unrelated, prosecutors in the United States and Finland also secured convictions for two members of Lizard Squad for their roles in attacks on the same target over the 2014 holidays. Zachary Buchta, then 20, of Maryland, received three months in federal prison and was ordered to pay $350,000 in restitution after his guilty plea in late 2017. And Julius Kivimaki was convicted in Finland in July 2015, receiving a two-year suspended prison sentence for his actions.

Source: https://www.polygon.com/2019/7/3/20680975/soe-hacker-sentenced-derptrolling-austin-thompson-utah

An internal Cloudflare problem caused websites to fall bringing some parts of the internet to a crawl.

Global internet services provider Cloudflarehad trouble, and when it has problems, the internet has trouble, too. For about an hour, websites around the globe went down with 502 error messages.

The problem has now been fixed, and the service appears to be normally running. It’s still not entirely clear what happened.

In a short blog post, Cloudflare CTO John Graham-Cumming explained:

“For about 30 minutes today, visitors to Cloudflare sites received 502 errors caused by a massive spike in CPU utilization on our network. This CPU spike was caused by a bad software deploy that was rolled back. Once rolled back the service returned to normal operation and all domains using Cloudflare returned to normal traffic levels.”

Cloudflare CEO Matthew Prince subsequently explained the failure happened because:

“[A] bug on our side caused Firewall process to consume excessive CPU. Initially appeared like an attack. We were able to shut down process and get systems restored to normal. Putting in place systems so never happens again.”

Both Graham-Cumming and Prince emphasized this service disruption was not caused by an attack. Nor, Prince tweeted, was this a repeat of the Verizon Border Gateway Protocol network problem, which troubled Cloudflare and the internet last week.

How could this simple mistake cause so many problems? Cloudflare operates an extremely popular content delivery network (CDN). When it works right, its services protect website owners from peak loads, comment spam attacks, and Distributed Denial of Service (DDoS) attacks. When it doesn’t work right, well, we get problems like this one.

Cloudflare CDN works by optimizing the delivery of your website resources to your visitors. Cloudflare does this by delivering visitors to your website’s static from its global data centers. Your web server only delivers dynamic content. In addition, generally speaking, Cloudflare’s global network provides a faster route to your site than a visitor going directly to your site.

Its CDN is the most popular such service with 34.55% of the market. Amazon CloudFront is second with 28.84%. With over 16 million Cloudflare-protected sites, including BuzzFeed, Sling TV, Pinterest, and Dropbox, when Cloudflare has trouble, many of these websites are knocked off the internet.

Prince admitted this problem was the biggest ever internal Cloudflare problem. Prince tweeted:

“This was unique in that it impacted primary and all fail-over systems in a way we haven’t seen before. Will ensure better isolation and backstops in the future. Still getting to the bottom of the root cause.”

The problem also affected Cloudflare’s DNS service and its CDN.

To Cloudflare’s credit, the company is taking the blame and being transparent about what went wrong. At the same time, the episode emphasizes how much the internet now depends on a few important companies instead of many peer-to-peer businesses and institutions.

Source: https://www.zdnet.com/article/cloudflare-stutters-and-the-internet-stumbles/

DDoS attacks as a service have kicked off 2019 stronger than ever, according to a new report by Nexusguard, claiming the booter-originated attacks more than doubled their amounts compared to the fourth quarter of last year.

The Nexusguard’s Q1 2019 Threat Report says the attacks are growing despite FBI’s best efforts to curb them. DNS amplification types of DDoS attacks are still the favorite ones among DDoS-for-hire websites. These rose more than 40 times, quarter-on-quarter.

Telecommunications companies and communications service providers seem to be the number one victims, with those originating from Brazil being the most common target.

According to the report, communications service providers should be careful with these evolved attacks, tackling them with scalable, cloud-based DDoS detection and mitigation. Those that choose a different path risk being targeted with ‘bit-and-piece’ attacks.

The bit-and-piece DDoS attack differs from your traditional DDoS attack, as it takes advantage of the large attack surface and spreads tiny attack traffic across hundreds of IP addresses. That way, the attack can successfully evade being detected using a diversion.

“Due to the increasing demand for DDoS attack services and the boom in connected devices, hackers for hire have doubled and DDoS campaigns are not going away for organizations,” said Juniman Kasman, chief technology officer for Nexusguard. “Businesses will need to ensure their attack protections can seamlessly evolve with new vectors and tactics that attackers seek out, which ensures service uptime, avoids legal or reputational damages, and preserves customer satisfaction.”

Source:https://www.itproportal.com/news/ddos-for-hire-attacks-on-the-rise/

Botnets in 2018 continued to use DDoS as their primary weapon to attack high-speed networks, according to NSFOCUS.

Continuous monitoring and research of botnets discovered significant changes taking place in the coding of malware used to create bots, operations, and maintenance of botnets and IP Chain-Gangs.

Throughout 2018, NSFOCUS developed profiles on 82 IP Chain-Gangs, groups of bots from multiple botnets acting in concert during specific cyber-attack campaigns. Understanding botnets in general and IP Chain-Gangs, in particular, helps improve defensive strategies and, thus, the ability to better mitigate attacks.

Key findings

  • NSFOCUS detected 111,472 attack instructions from botnet families that were received by a total of 451,187 attack targets, an increase of 66.4 percent from last year.
  • The U.S. (47.2 percent) and China (39.78 percent) were the two worst-hit countries when it came to botnet attacks.
  • Statistical analysis shows that gambling and porn websites were the most targeted, suffering 29,161 (an average of 79 per day) DDoS attacks throughout 2018.
  • Botnets were shifted from Windows platforms towards Linux and IoT platforms, leading to the fast decline of older Windows-based families and the thriving of new IoT-based ones.
  • As for platforms hosting Command and Control (C&C) servers, families using IoT platforms, though smaller in quantity, were more active, attracting 87 percent of attackers.
  • In 2018, a total of 35 active families were found to issue more than 100 botnet instructions, accounting for 24 percent of all known families. Several families with the highest level of instruction activity accounted for most of the malicious activities throughout 2018.

“Security service providers need to adapt their strategies to better mitigate the increasing threats posed by the new generation of botnets,” said Richard Zhao, COO at NSFOCUS.

“As defenders, we not only need to enhance our capabilities of countering ransomware and cryptominers but also need to improve the protections for IoT devices.

“While the total number of IoT devices globally surges rapidly and IoT product lines are increasingly diversified, IoT devices still have poor security. Insecure firmware and communication protocols lead to numerous vulnerabilities in IoT platforms.”

Source: https://www.helpnetsecurity.com/2019/06/20/botnets-shift/