DDoS Defense Archive

Legitimate software which is on user’s desktops can be utilised by attackers to install malware and for denial of service (DoS) traffic.

According to DOSarrest CTO Jag Bains and general manager Mark Teolis, big dumb DoS attacks are common and can knock a data centre out, but smarter attacks are smaller, lower and slower.

Now sophisticated botnets, which have more access to compromised computing power are used to run “Headless Browsers”, a legitimate browser web kit that has been modified to run a series of queries and target basic UIs on your website.

Teolis said: “These were made for programmers to test out their websites, so made by Safari, Firefox, and now used for nefarious purposes. You stress on it and open up hundreds of sessions on your laptop and see how it runs, but now you can have unlimited process using Javascript, cookies and Captcha.”

Bains said: “You can download the software for free and modify it, PhantomJS is the most popular headless browser and people use it for legitimate purposes like monitoring services.  We looked at adding a monitoring service to see how our website was doing 1-2 years ago  and you can add a sensor and a certain location and tell it to tell you the load times of each element of the site, but others are modifying it for less than gallant reasons.”

The difference with a headless browser – effectively a piece of software without any control -is that they cannot run effectively by an attacker, as they need the victim to load up the program and actively run it. “We see it as a factor of hackable, dedicated boxes out there, you can rent out a slice of virtual computing for $25 a month or more for compromised bots,” Bains said.

The issue for IT security is that it looks like a legitimate session and regular traffic, and it works because the attacker understands how the website is designed and where the weaknesses are. “You cannot set up a web application firewall to prevent it as it is using the same protocol as a real visitor would,” Bains said.

Teolis described it as “death by a thousand cuts”.  He said: “All the boxes could not stop it as slow and low attacks come twice an hour, but with 50,000 of them how do you distinguish? With headless browsers it can jump through hoops and it will be a big problem for older boxes.”

A headless browser runs in its own instance, does its own coordination and just needs an operating system to run it. The only way it can be detected is if the victim runs a NetStack to see what is running out of port 80.

In terms of how to protect against a headless browser, Bains said that a pure play DDoS protection service can help, as this will evade signature-based detection to stop immediately. However it has to be parsed and analysed to be able to see the pattern and anything that wasn’t there an hour ago.

Teolis said: “With real time support there is a human involved and you can develop some rulesets to determine what is going on and implement this module. We can do it in seconds, and that is part of our software and we can do it in under a minute.”

Source: http://www.itproportal.com/2014/04/01/headless-browsers-legitimate-software-enables-attack/

Legitimate software which is on user’s desktops can be utilised by attackers to install malware and for denial of service (DoS) traffic.

According to DOSarrest CTO Jag Bains and general manager Mark Teolis, big dumb DoS attacks are common and can knock a data centre out, but smarter attacks are smaller, lower and slower.

Now sophisticated botnets, which have more access to compromised computing power are used to run “Headless Browsers”, a legitimate browser web kit that has been modified to run a series of queries and target basic UIs on your website.

Teolis said: “These were made for programmers to test out their websites, so made by Safari, Firefox, and now used for nefarious purposes. You stress on it and open up hundreds of sessions on your laptop and see how it runs, but now you can have unlimited process using Javascript, cookies and Captcha.”

Bains said: “You can download the software for free and modify it, PhantomJS is the most popular headless browser and people use it for legitimate purposes like monitoring services.  We looked at adding a monitoring service to see how our website was doing 1-2 years ago  and you can add a sensor and a certain location and tell it to tell you the load times of each element of the site, but others are modifying it for less than gallant reasons.”

The difference with a headless browser – effectively a piece of software without any control -is that they cannot run effectively by an attacker, as they need the victim to load up the program and actively run it. “We see it as a factor of hackable, dedicated boxes out there, you can rent out a slice of virtual computing for $25 a month or more for compromised bots,” Bains said.

The issue for IT security is that it looks like a legitimate session and regular traffic, and it works because the attacker understands how the website is designed and where the weaknesses are. “You cannot set up a web application firewall to prevent it as it is using the same protocol as a real visitor would,” Bains said.

Teolis described it as “death by a thousand cuts”.  He said: “All the boxes could not stop it as slow and low attacks come twice an hour, but with 50,000 of them how do you distinguish? With headless browsers it can jump through hoops and it will be a big problem for older boxes.”

A headless browser runs in its own instance, does its own coordination and just needs an operating system to run it. The only way it can be detected is if the victim runs a NetStack to see what is running out of port 80.

In terms of how to protect against a headless browser, Bains said that a pure play DDoS protection service can help, as this will evade signature-based detection to stop immediately. However it has to be parsed and analysed to be able to see the pattern and anything that wasn’t there an hour ago.Teolis said: “With real time support there is a human involved and you can develop some rulesets to determine what is going on and implement this module. We can do it in seconds, and that is part of our software and we can do it in under a minute.”

Source: http://www.itproportal.com/2014/04/01/headless-browsers-legitimate-software-enables-attack/

Security researchers have uncovered a recent distributed denial-of-service (DDoS) attack that used at least 162,000 WordPress-powered websites to knock another site offline.

The technique made it possible for an attacker with modest resources to greatly amplify the bandwidth at its disposal. By sending spoofed Web requests in a way that made them appear to come from the target site, the attacker was able to trick the WordPress servers into bombarding the target with more traffic than it could handle. Besides causing such a large number of unsuspecting sites to attack another one, the attack is notable for targeting XML-RPC, a protocol the sites running WordPress and other Web applications use to provide services such as pingbacks, trackbacks, and remote access to some users.

Researchers from security firm Sucuri recently counted more than 162,000 legitimate WordPress sites hitting a single customer website. They suspect they would have seen more if they hadn’t ended the attack by blocking the requests.

“Can you see how powerful it can be?” Sucuri CTO Daniel Cid wrote in a blog post published Monday. “One attacker can use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file.”

The result: the unidentified target website was flooded with hundreds of requests per second. Hundreds of requests per second may not sound like much, especially when compared with recent attacks, some of which reached volumes close to 400 gigabits per second. It’s important to remember that the XML-RPC traffic is directed at a targeted site’s layer 7 (aka application layer), which handles HTTP, FTP, DNS, and several other communications protocols. Many DDoS techniques direct torrents of traffic at a much lower level, usually in the network layer (aka layer 3). Layer 7 attacks frequently require much less junk data to be effective.

Cid’s blog post contains plenty of useful information about DDoS attacks that abuse XML-RPC, including this scanner that will indicate whether a specific Web address was observed participating in the attack Sucuri blocked. The post also provides instructions that operators of WordPress sites can follow to prevent their servers from being abused to carry out these types of attacks. The technique involves adding the following code to a site theme:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );

Cid doesn’t say if there are any negative consequences that will result from adding the filter. Since XML-RPC provides useful and possibly needed functionality, readers are advised to carefully consider the pros and cons before applying such a move to a production server. Readers who know more about the way the XML-RPC protocol is implemented in WordPress and the effects of the above filter are encouraged to share their knowledge in the comments.

The WordPress-enabled attacks are just one technique in a growing arsenal of powerful DDoS weapons. Other implementations include the abuse of the Internet’s time-synchronization protocol and the exploitation of open domain name system servers to greatly amplify traffic. Attackers have also waged extremely powerful DDoS campaigns using botnets of WordPress servers. The growing body of attacks shows that there’s no shortage of ways to inflict crippling damage on the Internet.

Source: http://arstechnica.com/security/2014/03/more-than-162000-legit-wordpress-sites-abused-in-powerful-ddos-attack/

Distributed denial-of-service (or DDoS) attacks aren’t new – however, the ferocity and volume of attacks has risen sharply over recent months. Just last month, a stream off attacks wreaked havoc across the Internet and continued DDoS attacks shut down one of the world’s largest Bitcoin exchanges, MtGox.

If you think these attacks are orchestrated by highly sophisticated cyber masterminds, think again. As the name implies, a DDoS simply tries to prevent a service from working. In a DDoS, the attacker uses a large number of machines from all over the Internet to send enormous amounts of traffic towards the target.

Usually, the source of the traffic is a network of compromised “zombie” computers (also known as a botnet) that send the traffic. Hacker forums, blogs, and even YouTube share easily accessible information on how to set up a DDoS attack, making it so that practically anyone with an Internet connection can launch their own attack.

However, DDoS attacks are not only obnoxious to deal with – they can have very real detrimental consequences for business.

How can you tell whether you’ve been the victim of DDoS?

When dealing with a DDoS attack it is worth noting that it can be challenging to even determine if your website is down due to legitimate traffic, rather than an attack. The key to telling the difference lies in the length of time the service is down – if slow or denied service continues for days rather than a spike during a campaign it is time to start to look into what’s going on.

Additionally, if the same source address is querying for the same data long before the Time to Live (TTL) has passed, it could be a sign that they are up to no good. Unfortunately, you cannot simply check to see if all of the traffic is coming from one IP, as this is the exact purpose of a DDoS: to have traffic coming from multiple sources.

How can you prepare yourself?

Of course, you won’t want to wait until you have become the latest unfortunate victim of the long line of attacks. There are a number of steps you can take to ensure you won’t make yourself a target and keep your network clean of spammers and other miscreants:

1. Be aware

Invest in technology that allows you to know your network’s normal behaviour and will make you aware of any abnormal incidents such as a DDoS.

2. Boost capacity

Make sure you provision enough server capacity and tune for best performance under high load. Build the biggest network you can with effective elements for advanced mitigation.

3. Practice your defence

Knowing how to use your defensive strategy is just as important as buying and installing it. Practice the drills over and over to get it committed to your staff’s minds.

4. Get help

If you don’t have the resources to deal with attacks in-house your best bet is to outsource to a managed DNS provider who can redirect site visitors to hosts that aren’t down with advanced features like load balancing and performance monitoring.

5. Be prepared

The best way to avoid any disruption from a DDoS attack is to be prepared for it. If you are having a hard time deciding whether or not you actually need to invest in a stronger mitigation technique (e.g. you believe your industry or business is at a low risk of an attack), figure out the impact it would have on your company financially if it were to happen.

Although it may not be an apparent risk, the cost associated with being attacked is usually much higher than the cost to take safeguards.

Source: http://www.itproportal.com/2014/03/06/how-tell-if-youve-been-hit-ddos-attack-and-how-respond/

Cloud DDoS protection provider, DOSarrest’s Proxy Defense has been named ‘security product of the year’ at the first UK Cloud Awards that took place on Wednesday evening during Cloud Expo. Alex Hilton, the Cloud Industry Forum’s CEO, praised the quality of the entries, while the keynote speaker, Outsourcery’s joint-CEO and BBC ‘Dragon’, Piers Linney used the occasion to describe how the cloud has come of age.

“We are delighted to have won this accolade for our DDoS Protection service,” said Mike Gordon from the DOSarrest UK office who collected the award at London’s City Hall. “The service has stopped thousands of attacks on our customers’ websites and it has done so seamlessly. So, to be recognised as the best is a huge achievement.”

The awards, launched by Cloud Pro in association with The Cloud Industry Forum and techUk, celebrate the very best of the industry and the ‘security product of the year’ category recognised the considerable innovation and capability that has been brought to market in the UK to further enhance the cloud’s reputation as a secure and trusted environment.

“The calibre of the entries we received this year made the judging process no easy task. The standard of the entries, and ultimate winners, speaks volumes about tech success and innovation in the UK, and serve as a reminder of the dynamic and forward-looking industry we have in this country. DOSarrest fought off strong competition to take home Security Product of the Year, and I’d like to take this opportunity to congratulate them,” said Alex Hilton, CEO of the Cloud Industry Forum.

DOSarrest’s Proxy Defense is a fully managed, cloud-based DDoS protection service. Once a website is running on Proxy Defense, which takes less than 15 minutes to set up, the site is immediately protected 24/7 from any and all DDoS attacks.

To view the entire winner list click below:

http://www.ukcloudawards.co.uk/congratulations-our-winners

About DOSarrest Internet Security:

DOSarrest founded in 2007 in Vancouver, BC, Canada is one of only a couple of companies worldwide to specialize in only cloud based DDoS protection services. Their global client base includes mission critical ecommerce websites in a wide range of business segments including financial, health, media, education and government. Their innovative systems, software and exceptional service have been leading edge for over 7 years now.

Source: http://www.consumerelectronicsnet.com/article/DOSarrest-Wins-Security-Product-of-the-Year-at-the-UK-Cloud-Awards-2014-3090275