DDoS Defense Archive

A Denial of Service essentially happens when a hacker/attacker floods a target machine with malicious traffic until the time all its resources are utilised and exhausted resulting in the system going offline. Distributed denial of service is essentially the same, only that it enlists other machines/computers in the attack: the stakes, as they say, are much amplified here. Here’s a list of 8 major DDoS Attacks.

1.UDP Flood

A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol. Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will: check for the application listening at that port, see that no application listens at that port and reply with an ICMP Destination Unreachable packet.

2.Ping of Death

A ping of death is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A correctly formed ping message is typically 56 bytes in size, or 84 bytes when the Internet Protocol (IP) header is considered. Historically, many computer systems could not properly handle a ping packet larger than the maximum IPv4 packet size of 65535bytes. Larger packets could crash the target computer. In early implementations of TCP/IP, this bug was easy to exploit. This exploit affected a wide variety of systems, including Unix, Linux, Mac, Windows, printers, and routers.

3.Reflected / Spoofed attack

A distributed denial of service attack may involve sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target.

4.Nuke

A Nuke is an old denial-of-service attack against computer networks consisting of fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data, thus slowing down the affected computer until it comes to a complete stop.

5.Slowloris

Slowloris is a piece of software written by Robert “RSnake” Hansen which allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request.

6.Unintentional DDoS

This describes a situation where a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story.

7.Zero Day DDoS

General term used to describe vulnerabilities and exploits that are still new and haven’t been patched yet.

8.SYN Flood

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

Source: http://www.efytimes.com/e1/fullnews.asp?edid=137389

Man’s creation of money was shortly followed by man’s creation of money crime. In modern times, the financial industry’s latest nemesis is the Distributed Denial of Service attack (DDoS). As banks ramp up their protection technology, so too have hackers grown in opposing might.

The purpose behind a DDoS attack is to slow, or bring down a website. These attacks are executed by flooding a target server with bot-generated requests, packets, or data.  And who are these dark figures carrying out these cyber assaults? Hackers, either hired by business rivals or acting on their own.

These skilled computer experts usually aim to steal data, and disrupt the Internet ecosystem. Whether the impetus comes from financial, political, or personal motivations, hackers are reaping rewards for their deviant behavior with little fear of getting caught.

Get with the Financial Times

Financial institutions are particularly vulnerable to DDoS attacks. Although a strike on an unprotected online business can result in the loss of big money, most often they only cause minimal damage in terms of dollars and cents. DDoS is not designed to pilfer anything; those who inflict the attacks simply receive the benefit of hurting their competition. Rival companies often engineer attacks to damage their rivals’ reputation in the market, simultaneously boosting their own.

Hackers can now hit financial institutions, both large and small, at strengths thought impossible several years ago. BTC China, the third largest Bitcoin exchange in the world, received a DDoS attack last September that, at times, measured a substantial 100Gbps. The barrage lasted more than nine hours. Fortunately, BTC was prepared with DDoS protection services from Incapsula, one of the leading security protection agencies.

Incapsula identified the threat as a SYN flood, a method that involves exchanging unresolved packets with a target server. While not the most sophisticated attack at a hacker’s disposal, SYN floods —– especially of such sizes —– are deadly when not countered with careful filtering measures.

What is the cyber-protection industry doing to combat these threats? Igal Zeifman, of Incapsula, responded to our query with these three tips:

  • On edge mitigation – Effective DDoS mitigation requires you to block malicious requests before they reach the origin server. This process involves accepting and identifying requests outside of your core infrastructure. In BTC’s case, Incapsula was able to leverage the network capacity (currently above 550Gbps) with its reverse proxy setup.
    It filtered the traffic on edge, on its own network, between the attacker and their target. As a result, it allowed regular visitors to pass through without causing any service disruptions.
  • Transparency – When dealing with DDoS mitigation, one should always consider the alternative costs of mitigation and its impact on regular visitors.

With DDoS attacks lasting for days and weeks at a time, your DDoS protection strategy should be devised to cause minimal business disruption.  Simply put, if you response is to flash CAPTCHA’s and delay pages to all visitors, you are just doing the attackers’ work for them by causing a “self inflicted” disturbance of services.

  • Comprehensive protection – DDoS attacks come in different shape and sizes and not all of them can be countered by network brawn, because some will require security expertise and finesse. To be protected from Application Layer DDoS attacks, you should rely on a strategy that uses a combination of bot filtering methods, most of which should be absolutely transparent. The industry standard today is a combination of JS and Cookie based challenges but these are not enough, as we now encounter DDoS bots that pass both tests and still cause damage to an under-protected server.

In Summary

A strong reputation is critical in the online finance industry. Customers are particularly sensitive to abnormalities when their money is involved. Cyber security industry experts are predicting record high DDoS numbers in terms of size and duration for 2014. Research third-party security services that fit your needs for DDoS protection.’

Source: http://www.sitepronews.com/2014/04/11/security-specialists-discuss-ddos-protection-strategy-financial-site/

Legitimate software which is on user’s desktops can be utilised by attackers to install malware and for denial of service (DoS) traffic.

According to DOSarrest CTO Jag Bains and general manager Mark Teolis, big dumb DoS attacks are common and can knock a data centre out, but smarter attacks are smaller, lower and slower.

Now sophisticated botnets, which have more access to compromised computing power are used to run “Headless Browsers”, a legitimate browser web kit that has been modified to run a series of queries and target basic UIs on your website.

Teolis said: “These were made for programmers to test out their websites, so made by Safari, Firefox, and now used for nefarious purposes. You stress on it and open up hundreds of sessions on your laptop and see how it runs, but now you can have unlimited process using Javascript, cookies and Captcha.”

Bains said: “You can download the software for free and modify it, PhantomJS is the most popular headless browser and people use it for legitimate purposes like monitoring services.  We looked at adding a monitoring service to see how our website was doing 1-2 years ago  and you can add a sensor and a certain location and tell it to tell you the load times of each element of the site, but others are modifying it for less than gallant reasons.”

The difference with a headless browser – effectively a piece of software without any control -is that they cannot run effectively by an attacker, as they need the victim to load up the program and actively run it. “We see it as a factor of hackable, dedicated boxes out there, you can rent out a slice of virtual computing for $25 a month or more for compromised bots,” Bains said.

The issue for IT security is that it looks like a legitimate session and regular traffic, and it works because the attacker understands how the website is designed and where the weaknesses are. “You cannot set up a web application firewall to prevent it as it is using the same protocol as a real visitor would,” Bains said.

Teolis described it as “death by a thousand cuts”.  He said: “All the boxes could not stop it as slow and low attacks come twice an hour, but with 50,000 of them how do you distinguish? With headless browsers it can jump through hoops and it will be a big problem for older boxes.”

A headless browser runs in its own instance, does its own coordination and just needs an operating system to run it. The only way it can be detected is if the victim runs a NetStack to see what is running out of port 80.

In terms of how to protect against a headless browser, Bains said that a pure play DDoS protection service can help, as this will evade signature-based detection to stop immediately. However it has to be parsed and analysed to be able to see the pattern and anything that wasn’t there an hour ago.

Teolis said: “With real time support there is a human involved and you can develop some rulesets to determine what is going on and implement this module. We can do it in seconds, and that is part of our software and we can do it in under a minute.”

Source: http://www.itproportal.com/2014/04/01/headless-browsers-legitimate-software-enables-attack/

Legitimate software which is on user’s desktops can be utilised by attackers to install malware and for denial of service (DoS) traffic.

According to DOSarrest CTO Jag Bains and general manager Mark Teolis, big dumb DoS attacks are common and can knock a data centre out, but smarter attacks are smaller, lower and slower.

Now sophisticated botnets, which have more access to compromised computing power are used to run “Headless Browsers”, a legitimate browser web kit that has been modified to run a series of queries and target basic UIs on your website.

Teolis said: “These were made for programmers to test out their websites, so made by Safari, Firefox, and now used for nefarious purposes. You stress on it and open up hundreds of sessions on your laptop and see how it runs, but now you can have unlimited process using Javascript, cookies and Captcha.”

Bains said: “You can download the software for free and modify it, PhantomJS is the most popular headless browser and people use it for legitimate purposes like monitoring services.  We looked at adding a monitoring service to see how our website was doing 1-2 years ago  and you can add a sensor and a certain location and tell it to tell you the load times of each element of the site, but others are modifying it for less than gallant reasons.”

The difference with a headless browser – effectively a piece of software without any control -is that they cannot run effectively by an attacker, as they need the victim to load up the program and actively run it. “We see it as a factor of hackable, dedicated boxes out there, you can rent out a slice of virtual computing for $25 a month or more for compromised bots,” Bains said.

The issue for IT security is that it looks like a legitimate session and regular traffic, and it works because the attacker understands how the website is designed and where the weaknesses are. “You cannot set up a web application firewall to prevent it as it is using the same protocol as a real visitor would,” Bains said.

Teolis described it as “death by a thousand cuts”.  He said: “All the boxes could not stop it as slow and low attacks come twice an hour, but with 50,000 of them how do you distinguish? With headless browsers it can jump through hoops and it will be a big problem for older boxes.”

A headless browser runs in its own instance, does its own coordination and just needs an operating system to run it. The only way it can be detected is if the victim runs a NetStack to see what is running out of port 80.

In terms of how to protect against a headless browser, Bains said that a pure play DDoS protection service can help, as this will evade signature-based detection to stop immediately. However it has to be parsed and analysed to be able to see the pattern and anything that wasn’t there an hour ago.Teolis said: “With real time support there is a human involved and you can develop some rulesets to determine what is going on and implement this module. We can do it in seconds, and that is part of our software and we can do it in under a minute.”

Source: http://www.itproportal.com/2014/04/01/headless-browsers-legitimate-software-enables-attack/

Security researchers have uncovered a recent distributed denial-of-service (DDoS) attack that used at least 162,000 WordPress-powered websites to knock another site offline.

The technique made it possible for an attacker with modest resources to greatly amplify the bandwidth at its disposal. By sending spoofed Web requests in a way that made them appear to come from the target site, the attacker was able to trick the WordPress servers into bombarding the target with more traffic than it could handle. Besides causing such a large number of unsuspecting sites to attack another one, the attack is notable for targeting XML-RPC, a protocol the sites running WordPress and other Web applications use to provide services such as pingbacks, trackbacks, and remote access to some users.

Researchers from security firm Sucuri recently counted more than 162,000 legitimate WordPress sites hitting a single customer website. They suspect they would have seen more if they hadn’t ended the attack by blocking the requests.

“Can you see how powerful it can be?” Sucuri CTO Daniel Cid wrote in a blog post published Monday. “One attacker can use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file.”

The result: the unidentified target website was flooded with hundreds of requests per second. Hundreds of requests per second may not sound like much, especially when compared with recent attacks, some of which reached volumes close to 400 gigabits per second. It’s important to remember that the XML-RPC traffic is directed at a targeted site’s layer 7 (aka application layer), which handles HTTP, FTP, DNS, and several other communications protocols. Many DDoS techniques direct torrents of traffic at a much lower level, usually in the network layer (aka layer 3). Layer 7 attacks frequently require much less junk data to be effective.

Cid’s blog post contains plenty of useful information about DDoS attacks that abuse XML-RPC, including this scanner that will indicate whether a specific Web address was observed participating in the attack Sucuri blocked. The post also provides instructions that operators of WordPress sites can follow to prevent their servers from being abused to carry out these types of attacks. The technique involves adding the following code to a site theme:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );

Cid doesn’t say if there are any negative consequences that will result from adding the filter. Since XML-RPC provides useful and possibly needed functionality, readers are advised to carefully consider the pros and cons before applying such a move to a production server. Readers who know more about the way the XML-RPC protocol is implemented in WordPress and the effects of the above filter are encouraged to share their knowledge in the comments.

The WordPress-enabled attacks are just one technique in a growing arsenal of powerful DDoS weapons. Other implementations include the abuse of the Internet’s time-synchronization protocol and the exploitation of open domain name system servers to greatly amplify traffic. Attackers have also waged extremely powerful DDoS campaigns using botnets of WordPress servers. The growing body of attacks shows that there’s no shortage of ways to inflict crippling damage on the Internet.

Source: http://arstechnica.com/security/2014/03/more-than-162000-legit-wordpress-sites-abused-in-powerful-ddos-attack/