DDoS Defense Archive

The news stories surrounding hacktivist groups like Anonymous might lead business professionals to think that cyber criminals focus their efforts on government agencies and multinational corporations, skipping smaller companies that receive minimal to no press.

Midsize businesses, however, are just as vulnerable to the ever-popular Distributed Denial of Service (DDoS) attacks hackers use to suspend the services associated with a particular target. Attackers don’t just DDoS targets as a way of voicing political or ideological opinions; dishonest business owners can employ the services of a third-party to cause harm to competitors via digital means.

According to a new report from HostExploit, a community organization that tracks cyber criminals who exploit hosts to deliver crimeware, hackers are using open Domain Name System (DNS) resolvers to launch DDoS attacks against their targets.

DNS servers are responsible for converting hostnames, or domain names, into Internet Protocol (IP) addresses. A DNS resolver searches through one or more name servers to locate the information needed to resolve a client’s request.
Hackers are using misconfigured resolvers, claim the authors of the latest edition of HostExploit’s World Hosts Report, to power a DDoS. According to the report, “an attacker can send rogue DNS requests to a large number of open DNS resolvers and use spoofing to make it appear as if those requests originated from the target’s IP address.” The resolver then responds to the victim’s IP, rather than sending the information to the IP address that submitted the original queries.

DDoS through DNS isn’t new–experts have been discussing it as a method of attack for a decade–but Neal Quinn, chief operating officer of Prolexic, told NetworkWorld, “We have seen [DDoS amplification] recently, and we see it increasing.”

DDoS attacks can have at least a moderate financial impact on a business, depending on how long the organization is affected. Outages can lead to increased operational costs–as loss of service must be addressed on top of other critical tasks–and lead to lost clients or customer refunds, harming revenue as a result. These attacks can also have a longer-lasting impact on a company’s reputation.

DDoS attacks are some of the most difficult to prevent, and common IT solutions–such as over-provisioning, in which an business provisions for several times the expected level of traffic during normal operation–won’t be as effective against efforts amplified using DNS resolvers. Even an Intrusion Detection System (IDS) won’t help as these devices tend to disregard valid packets.

IT departments can rely on a third-party DDoS solution designed specifically to detect and mitigate attacks. Midsize businesses, however, should weigh the risks against the return on investment before subscribing to such services.

Source: http://midsizeinsider.com/en-us/article/hackers-use-dns-resolvers-to-distribute

Capital One confirms that its website had been hit by another distributed denial of service attack. This Oct. 16 incident was the second attack allegedly waged this month by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters against the $296.7 billion bank.

“Capital One is experiencing intermittent access to some online systems due to a denial of service attack,” bank spokeswoman Tatiana Stead said. “There was minimal impact to the majority of our customers.”

Also on Oct. 16, a post claiming to be from the Izz ad-Din al-Qassam Cyber Fighters appeared on the open Internet forum site Pastebin claiming new attacks against U.S. banks would be waged between Oct. 16 and Oct. 18. The group notes that this new wave of DDoS attacks is being initiated without advance warning. In earlier Pastebin posts, the group named the eight banks it eventually attacked.

The first attack against CapOne came Oct. 9, one day before the targeted attack against SunTrust Banks and two days before the attack against Regions Financial Corp..

Jason Malo, a financial fraud and security consultant with CEB TowerGroup, says the Oct. 9 attack against CapOne, appeared to be one of the most damaging. “With CapOne, they seemed to take a bigger hit than the others,” he says. “Other banks seemed to handle the attacks better.”

The first institution to take a DDoS hit was Bank of America on Sept. 18, followed by JPMorgan Chase on Sept. 19 (see High Risk: What Alert Means to Banks). Attacks against Wells Fargo, U.S. Bank and PNC hit the following week (see More U.S. Banks Report Online Woes).

Izz ad-din Al Qassam says it will continue to target U.S. institutions until a YouTube movie trailer believed by the group to be anti-Islam is removed from the Internet. Experts, however, question whether that outrage is just a front for some more nefarious motive.

Source: http://www.bankinfosecurity.com/capone-takes-second-ddos-hit-a-5203

Over the past two weeks, the websites of multiple financial institutions–including Bank of America, JPMorgan Chase, PNC, U.S. Bank, and Wells Fargo–have been targeted by attackers, leading to their websites being disrupted. Furthermore, some banks appear to still be suffering related outages.

That’s led more than 1,000 customers of those institutions to file related complaints with Site Down, a website that tracks outages. Customers have reported being unable to their access checking, savings, and mortgage accounts, as well as bill-paying and other services, via the affected banks’ websites and mobile applications.

Many of the banks’ customers have also criticized their financial institutions for not clearly detailing what was happening, or what the banks were doing about it. “It was probably the least impressive corporate presentation of bad news I’ve ever seen,” Paul Downs, a small-business owner in Bridgeport, Pa., told The New York Times, where he’s also a small-business blogger.

A hacktivist group calling itself the Cyber fighters of Izz ad-din Al qassam has taken credit for the attacks, which it’s dubbed Operation Ababil, meaning “swarm” in Arabic. It said the attacks are meant to disrupt U.S. banking operations in retaliation for the release of the Innocence of Muslims film that mocks the founder of Islam.

Some of the attacked banks’ websites still appear to be experiencing outages, but Dan Holden, director of security for the Arbor Security Engineering and Response Team, said he’s seen no signs that any active attacks are currently underway. “Obviously, we’re only one day into the week, but we didn’t see anything yesterday, and while [the Cyber fighters of Izz ad-din Al qassam] said in the previous post that they’d be working over the weekend, there haven’t been any new posts stating that they’d be doing new attacks,” he said.

Tuesday, however, multiple Wells Fargo customers were still reporting that they were having trouble accessing the bank’s website, or getting it to respond after they’d logged in. “Day 8, still can’t get in with Safari or Firefox … getting old. I have a business to run here,” said an anonymous poster to Site Down. “This is getting old,” said another.

Asked to comment on reports that the bank’s website was continuing to experience outages, a spokeswoman for Wells Fargo repeated a statement released last week, saying via email that “customers can access their accounts through the online and mobile channels.”

Multiple Bank of America customers Tuesday also reported problems with the bank’s website, with some people saying they’d been experiencing disruptions for 10 days or more. “I agree … with all the other comments about this problem of being unable to go on line. What in the world is going on–get it fixed!” said an anonymous user Sunday on the Site Down website. But Bank of America spokesman Mark T. Pipitone said via email that the bank’s website has been working normally since last Tuesday, and suggested that the scale of any reported website problems was within normal parameters. “We service 30 million online banking customers,” he said. “Our online banking services have been, and continue to be, fully functional.”

Given attackers’ advance warning that they planned to take down the banking websites–which suggested that they’d launch distributed denial-of-service (DDoS) attacks, why didn’t banks simply block the attacks? As one PNC customer said in an online forum, “Come on PNC! Never heard of content delivery networks to make these attacks more difficult?? … Please invest in a more capable network security team and take care of your customers!”

But Arbor’s Holden, speaking by phone, said that the attackers had used multiple DDoS tools and attack types–including TCP/IP flood, UDP flood, as well as HTTP and HTTPS application attacks–together with servers sporting “massive bandwidth capacity.” So while the attacks weren’t sophisticated, they succeeded by blending variety and scale.

Given the massive bandwidth used in the attacks, were they really launched by hacktivists, which is what the attackers have claimed they are? Former U.S. government officials, speaking anonymously to various media outlets, have instead directly accused Iran of launching the attacks. Regardless of whether Iran is involved, Holden said that the bank attacks don’t resemble previously seen hacktivist attacks, which typically involved botnets of endpoint-infected PCs, or people who opted in to the attack, for example by using the Low Orbit Ion Canon JavaScript DDoS tool from Anonymous.

“With Anonymous … you’d see those people coming together and launching an attack with a given tool,” Holden said. “With this, yes, you’re seeing multiple types of attacks, multiple tools, and while blended attacks are common, they’re not so common with classic hacktivism, or hacktivism that we’ve witnessed in the past.”

In other words, “we don’t know whether it’s hacktivism or whether it’s not,” said Holden. “There’s nothing really backing up the advertisement that this was a bunch of angry people. If it is, it’s people who have gone out with a particular skill set, or hired someone with a particular skill set, to launch these particular attacks.” But whoever’s involved in these attacks has quite a lot of knowledge related to the art of launching effective DDoS website takedowns, and has access to high-bandwidth servers, which they’ve either compromised, rented, or been granted access to.

Interestingly, the attackers do appear to have taken a page from the Anonymous attack playbook. “We don’t have all the information about which specific techniques have been used against the U.S. banks so far, but the ‘Izz ad-Din al-Qassam Cyber Fighters’ scripts are based on the JS LOIC scripts used by Anonymous as well,” said Jaime Blasco, AlienVault’s lab manager, via email.

But like Holden, Blasco said that the bank website attackers had used much more than just JavaScript. “The number of queries/traffic you need to generate to affect the infrastructure of those targets is very high,” he said. “To affect those targets, you need thousands of machines generating traffic, and … other types of DDoS.”

Source: http://www.informationweek.com/security/attacks/bank-site-attacks-trigger-ongoing-outage/240008314

The cyber wars are heating up, with the popular Russian government funded RT News becoming the latest victim to fall foul of a massive distributed denial of service (DDoS) attack that knocked the site out of action for around three hours earlier today.

RT News, whose pro-Russian government stance has seen them publish a number of stories in support of WikiLeaks founder Julian Assange, first revealed that its server was experiencing technical difficulties on Facebook, shortly before tweeting that its hosting provider had confirmed that a DDoS attack was the reason for the outage.

‘Antileaks’, the group that had earlier claimed responsibility for a similar attack on WikiLeaks, later claimed responsibility for taking down RT, although as of yet there is no proof that this group is behind the attacks. What is notable is that the attack came just hours before a guilty verdict was delivered against members of the punk band Pussy Riot, who have been highly critical of Russian leader Vladimir Putin.

Antileaks tweeted that it was responsible for the DDoS attack just 20 minutes after RT had confirmed it, attaching a hastag in support of the Pussy Riot members. Shortly afterwards, WikiLeaks weighed into the war of words on Twitter, condemning the attack and suggesting that it was due to RT’s support of Assange rather than anything to do with the punk band. RT had previously hosted Assange’s personal chat show, in which one of his guests was none other than Ecudador’s President Rafael Correa.

RT hasn’t said anything about how they managed to overcome the attack, simply posting on Facebook that their English-language site was “back online after DDoS attack but we’re still experiencing some tech difficulties.”

For fast DDoS protection against your website click here.

Source: http://siliconangle.com/blog/2012/08/17/rt-news-hit-by-ddos-attack-taken-offline-for-three-hours-this-morning/

 

A distributed denial-of-service attack aimed at AT&T’s DNS (Domain Name System) servers has disrupted data traffic for some of the company’s customers.

The multi-hour attack began Wednesday morning West Coast time and at the time of this writing, eight hours later, does not appear to have been mitigated.

“Due to a distributed denial of service attack attempting to flood our Domain Name System servers in two locations, some AT&T business customers are experiencing intermittent disruptions in service,” an AT&T spokesman told IDG News Service by email. “Restoration efforts are underway and we apologize for any inconvenience to our customers.”

The attack appears to have affected enterprise customers using AT&T’s managed services DNS product.

“Our highest level of technical support personnel have been engaged and are working to mitigate the issue,” AT&T said in a message on a service status page.

But it added there is “no estimated time” for restoring the service.

DNS is responsible for converting human-friendly domain names into the numeric IP (Internet protocol) addresses that computers use to route data. When it fails, computers are unable to route data to its intended destination, even though the destination server remains online and accessible.

A distributed denial-of-service (DDoS) attack attempts to flood a server or system with so many packets of data that it becomes difficult or impossible to reach for legitimate traffic. It doesn’t necessarily stop the server from working, but the overload of data results in the system being all but unusable.

Service is returned to normal when the attack stops or when engineers find a way to absorb or deflect the nuisance traffic.

“We got our first report of problems at 6:31 a.m. Pacific time,” said Daniel Blackmon, director of software development, at Worldwide Environmental Products. The company tests vehicle emissions and has remote units deployed that report back to central servers.

“The problems mean none of the equipment we have in the field can contact our servers, and there is a limit to the amount of information they can hold offline.”

For fast DDoS protection for your e-commerce website click here.

Source: http://www.pcworld.com/businesscenter/article/260940/atandt_hit_by_ddos_attack_suffers_dns_outage.html