DDoS Defense Archive

A Chinese government-backed DDoS operation has been resurrected to disrupt pro-democracy supporters in Hong Kong, according to AT&T Cybersecurity.

The firm revealed in a new blog post yesterday that it spotted activity from the so-called “Great Cannon” starting on August 31, with the most recent DDoS attempts coming on November 25.

Specifically, it was observed trying to take offline the LIHKG website, which is used by Hong Kongers to share info and plan protests across the Special Administrative Region (SAR) of China wracked by unrest over the past few months.

The Great Cannon works by intercepting traffic from websites hosted in China and inserting malicious JavaScript in legitimate analytics scripts, thereby forcing users’ machines to covertly make requests against targeted sites.

The code not only attempts to repeatedly request the LIHKG home page but also multiple sites and memes that appear on the forum, so as to blend in with normal traffic, according to Chris Doman of AT&T Cybersecurity’s Alien Vault business.

“It is unlikely these sites will be seriously impacted. Partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious JavaScript code that we won’t discuss here,” he explained.

“Still, it is disturbing to see an attack tool with the potential power of the Great Cannon used more regularly, and again causing collateral damage to US-based services.”

The tool itself first came to prominence around four years ago when it was used to target anti-censorship organization Greatfire.org. The researchers that revealed the cannon for the first time claimed it was co-located with China’s notorious Great Firewall censorship infrastructure.

Global anger spread after the Great Cannon was then turned on developer site Github, which at the time hosted anti-censorship tools.

Researchers warned that the same tool could very easily be repurposed to deliver malware rather than DDoS attacks.

Source: https://www.infosecurity-magazine.com/news/chinas-great-cannon-fires-on-hong/

Internet service providers in South Africa fell prey to massive distributed denial of service (DDoS) attacks this past weekend.

RSAWEB subscribers were among the first to feel it, with the company issuing a notice at 01:56 on Friday morning stating that it was under attack. By 12:38, RSAWEB reported that the DDoS attack had abated and that services were stable.

Cool Ideas was next to be hit. It sent out a notice to subscribers on Saturday morning to say that it was experiencing problems on its network.

It later confirmed that it was facing the largest DDoS attack it had ever seen on its network. Cool Ideas co-founder Paul Butschi told MyBroadband that the size of the attack exceeded 300Gbps.

Butschi said the attack traffic statistics came from Cogent Communications and Hurricane Electric in London. Of the total traffic hitting their network, roughly 40Gbps was legitimate.

Attack on Afrihost, Axxess, and Webafrica

On the evening of Saturday, 23 November, the upstream provider supplying services to Afrihost, Axxess, and Webafrica came under attack. All three ISPs use Echo Service Provider.

Echo, in turn, appears to have a partnership with Liquid Telecom for international transit — Internet traffic that goes outside South Africa.

During previous attacks on Echo SP, Liquid Telecom helped to mitigate the attack. MyBroadband asked Liquid Telecom for details regarding the attack that crippled Afrihost, Axxess, and Webafrica on Saturday.

“Liquid Telecommunications can confirm that during the course of [Saturday] night an attack was initiated against one of our South African clients,” a spokesperson for the company said.

“This attack was similar in size and scale to previous attacks reported on. The attack was mitigated within minutes of being seen and the network has been stable without incident since the mitigation was performed.”

The previous attack on Echo SP on 27 October was in excess of 100Gbps. Liquid Telecom’s comments suggest that the most recent attack was around the same size.

Afrihost clients continued to complain that they were having trouble connecting to international services on Saturday evening.

On Sunday morning, MyBroadband forum members noticed that outbound international traffic from Afrihost was no longer flowing over Liquid Telecom’s network, but Telkom’s.

Another forum member found that Echo SP had only switched away from Liquid Telecom for outbound international traffic from South Africa. Inbound traffic from international sources was still being routed over Liquid Telecom’s network.

MyBroadband asked Afrihost, Webafrica, and Echo Service Provider for comment, but they did not respond by the time of publication.

Distributed denial of service and carpet bombing

A DDoS attack is a flood of garbage Internet traffic sent to servers, routers, and other computers on a network with the aim of making it impossible to communicate with them.

Under ordinary circumstances, generating 100Gbps or 300Gbps of traffic would require tremendous resources.

However, techniques such as DNS Amplification have made it easier and cheaper for attackers to generate large volumes of attack traffic than ever before.

DNS Amplification attacks, also referred to as DNS reflection, use improperly configured Domain Name System (DNS) servers to flood computers with network traffic. If the flood of bogus traffic is able to overwhelm the computer, it can’t respond to legitimate requests and appears offline to anyone on the Internet trying to reach it.

Reflection attacks work by requesting information from a server on the Internet, but then tricking it to send its response to the target computer the attacker wants to flood.

DNS servers are a popular choice for such attacks because they are critical Internet infrastructure designed to field millions of requests per second. They are also usually connected to high-bandwidth links to enable them to deal with large amounts of traffic.

Most importantly, attackers can often cause a DNS server to generate a response that is several times larger than their spoofed request. In other words, attackers use DNS servers to amplify their attack bandwidth. Hence the term “DNS Amplification”.

When the target of such an attack is a web server or critical network infrastructure, such a DDoS attack causes an outage. Network providers have developed methods to mitigate such attacks, and so attackers have found new ways of launching effective assaults.

One such technique is “carpet bombing“, where an Internet service provider’s individual customers are sent large volumes of garbage network traffic.

In some cases, the individual connections of customers are flooded. However, even when the traffic is not enough to flood a subscriber’s connection, the overall traffic on the network eventually adds up to a point where the ISP’s core network infrastructure can not cope with the load.

Carpet bombing attacks are specifically used against organisations like ISPs with the aim of bringing down their whole network.

Data centre operators, web hosting companies, and large corporate networks – anyone who runs their own pool of IP addresses – are also examples of potential targets of carpet bombing attacks.

Source: https://mybroadband.co.za/news/internet/329539-massive-ddos-attacks-south-african-internet-providers-crippled.html

A new botnet named Roboto is targeting Linux servers running Webmin app, according to security researchers at 360 Netlab. Roboto is a peer-to-peer botnet that has been active since summer and is exploiting a vulnerability in the Webmin app. The app offers a web-based remote management system for Linux servers and is installed on as many as 215,000 servers.

The vulnerability, identified as CVE-2019-15107, allows bad actors to compromise older Webmin servers by running malicious code and gaining root privileges. The vulnerability was identified and patched by the company behind Webmin. However, many users have not installed the latest version with the patch, and Roboto botnet is targeting such servers.

According to security researchers, the Roboto botnet has DDoS attack capability in its code, and it is the main feature of the botnet. The bad actors behind the botnet aim to expand it by conducting DDoS attacks via vectors such as HTTP, ICMP, UDP, and TCP.

Also, once the botnet compromises a Linux system running the older version of the Webmin app, it can perform actions like collecting system, network, and process information. It further uploads collected data to a remote server, executes Linux commands, and initiates a file downloaded from a remote URL.

What makes Roboto botnet unique is its peer-to-peer network structure.Roboto linux

To evade this attack, we recommend our users to update the Webmin app to version 1.930, or you can disable the ‘user password change’ option in the app.

 

Source: https://fossbytes.com/linux-servers-webmin-targeted-ddos-attacks/

Party understood to be subject of second distributed denial of service (DDoS) attack on Tuesday afternoon.

The Labour party has faced a second cyber-attack, a day after experiencing what it called a “sophisticated and large-scale” attempt to disrupt its digital systems.

It is understood the party was the subject of a second distributed denial of service (DDoS) attack on Tuesday afternoon. Such attacks use “botnets” – networks of compromised computers – to flood a server with requests that overwhelm it.

A Labour spokeswoman said: “We have ongoing security processes in place to protect our platforms, so users may be experiencing some differences. We are dealing with this quickly and efficiently.”

Labour has not said who it suspects is behind the attacks, but said it was confident its security systems ensured there was no data breach.

Party officials have reported the initial attack, which took place on Monday, to the National Cyber Security Centre, the government agency that supports and advises organisations on such incidents.

Labour has not said which digital platforms were targeted, but it is understood some of them were election and campaigning tools, which would contain details about voters. The party has sent a message to campaigners to say what happened and to explain why the systems were working slowly on Monday.

A party spokeswoman said: “We have experienced a sophisticated and large-scale cyber-attack on Labour digital platforms. We took swift action and these attempts failed due to our robust security systems. The integrity of all our platforms was maintained and we are confident that no data breach occurred.

“Our security procedures have slowed down some of our campaign activities, but these were restored this morning and we are back up to full speed. We have reported the matter to the National Cyber Security Centre.”

Whitehall sources said the initial indications were that the attack was carried out by a “non-state actor”.

The party’s head of campaigns, Niall Sookoo, wrote: “Yesterday afternoon our security systems identified that, in a very short period of time, there were large-scale and sophisticated attacks on Labour party platforms which had the intention of taking our systems entirely offline.

“Every single one of these attempts failed due to our robust security systems and the integrity of all our platforms and data was maintained. I would I like to pay tribute to all the teams at Labour HQ who identified this risk and acted quickly to protect us.”

DDoS attacks can vary in sophistication, but are generally easily mitigated. Web records show Labour is a customer of Cloudflare, which provides DDoS protection services to a large proportion of the web. The company protects customers from DDoS attacks by providing extra capacity as needed, filtering traffic so that only legitimate requests are dealt with and storing “cached” versions of websites on its own servers.

Even when DDoS attacks succeed, they rarely have implications beyond enforced downtime, as the target waits for the attack to end or secures extra bandwidth to deal with the new traffic. At their simplest, DDoS attacks can be hard to distinguish from legitimate traffic rises, as when cinema websites collapse when a new film is released.

DDoS attacks are cheap to pull off. Multiple criminal actors offer “DDoS as a service”, selling time on their botnets. One report from 2017 found a 300-secattack, with a total bandwidth of 125Gbps, could be purchased for €5; a longer attack, aimed at knocking a website offline for an hour, for €90. Others were even cheaper, offering three hours of downtime for $60.

Brian Higgins, a security specialist at Comparitech.com, said: “[The attacks] don’t normally represent any threat to data or information and can be defended against and recovered from quite easily if the victim has robust cybersecurity policies in place. It’s hardly surprising that the Labour party has been targeted given the current political landscape in the UK.”

Source: https://www.theguardian.com/politics/2019/nov/12/labour-reveals-large-scale-cyber-attack-on-digital-platforms

The specific type of TCP attack used in the recent spate of DDoS efforts were TCP SYN-ACK reflection attacks.

The last 30 days has seen a renewed increase in distributed denial-of-service (DDoS) activity, according to researchers, who said that they have observed a number of criminal campaigns mounting TCP reflection DDoS attacks against corporations.

Researchers at Radware said that the list of victims include a number of large companies, including Amazon, IBM subsidiary SoftLayer, Eurobet Italia SRL, Korea Telecom, HZ Hosting and SK Broadband.

The first major event in October took the Eurobet network down. Eurobet, an online sports gambling website, suffered a campaign that persisted for days and impacted several other betting networks, according to Radware.

Then, later in October, amid a flurry of DDoS attacks targeting companies in nearly every vertical around the world, the firm identified another large-scale multi-vector campaign surfaced that targeting the financial and telecommunication industry in Italy, South Korea and Turkey.

“This attack was noticed by the security community due to the reflective nature of one of the attack vectors,” the researchers noted. “In a period of 24 hours, millions of TCP-SYN packets from nearly 7,000 distinct source IP addresses part of [the infrastructure of Turkish provider] Garanti Bilisim Teknolojisi ve Ticaret TR.A.S. were sensed globally and specifically targeting ports 22, 25, 53, 80 and 443.”

The activity is a continuation of an uptick in attackers leveraging TCP reflection attacks that began in 2018, according to the firm. These tend to be low bandwidth, but they generate high packet rates (increased volumes of packets per second) that require large amounts of resources from network devices to process the traffic and cause outages. That’s why large corporate and telecom networks are often targets, Radware researchers explained.

The specific type of TCP attack used in the recent spate of DDoS efforts were TCP SYN-ACK reflection attacks. In this scenario, an attacker sends a spoofed SYN packet, with the original source IP replaced by the victim’s IP address, to a range of random or pre-selected reflection IP addresses. The services at the reflection addresses reply with a SYN-ACK packet to the victim of the spoofed attack. If the victim does not respond, the reflection service will continue to retransmit the SYN-ACK packet, resulting in amplification. The amount of amplification depends on the number of SYN-ACK retransmits by the reflection service, which can be defined by the attacker.

Most of the targeted networks did not respond properly to the spoofed requests, which would have disabled the TCP retransmit amplification, according to the analysis.

The impact range of these kinds of campaigns is significant, according to Radware, degrading service at the targeted networks as well as reflection networks across the world.

“Not only do the targeted victims, who are often large and well-protected corporations, have to deal with floods of TCP traffic, but randomly selected reflectors, ranging from smaller businesses to homeowners, have to process the spoofed requests and potential legitimate replies from the target of the attack,” researchers wrote in a recent post. “Those that are not prepared for these kinds of spikes in traffic suffer from secondary outages, with SYN floods one of the perceived side-effects by the collateral victims.”

In the more recent TCP reflection attacks, the firm’s forensics showed that the attackers leveraged a large majority of the internet IPv4 address space as reflector, with a spoofed source originating from either bots or servers hosted on subnets and by without IP source address verification.

The 2019 activity follows an 11 percent dip in the number of DDoS attacks in the fourth quarter of 2018, following the FBI’s crackdown on 15 DDoS-for-hire sites.

Source: https://threatpost.com/massive-ddos-amazon-telecom-infrastructure/150096/