DDoS Defense Archive

By David Meyer , 9 May, 2012 09:11

Hackers associated with Anonymous forced Virgin Media’s website offline for at least an hour on Tuesday, but the file-sharing service whose blockage sparked the protest has condemned the attack.

In an operation dubbed OpTPB, Anonymous hackers apparently subjected Virgin’s site to a distributed denial-of-service (DDoS) attack that began at 5pm. Twitter messages referring to OpTPB suggested that it was a response to Virgin Media’s blocking of The Pirate Bay (TPB), which began last week after a court ordered it.

Although Virgin admitted to an hour-long downtime, the site was still not working at the time of writing, around 16 hours after the attack began.

“DDoS and blocks are both forms of censorship,” The Pirate Bay told followers on its Facebook page, referring to “some random Anonymous groups [having] run a DDoS campaign against Virgin Media and some other sites”.

“We’d like to be clear about our view on this: We do NOT encourage these actions,” TPB said. “We believe in the open and free internets, where anyone can express their views. Even if we strongly disagree with them and even if they hate us. So don’t fight them using their ugly methods.”

The file-sharing service went on to suggest that those wanting to help it could set up a tracker, join or start a local Pirate Party, write to their political representatives or develop a new P2P protocol.

According to the BBC, Virgin said in a statement that it has to comply with court orders, but believes that “tackling the issue of copyright infringement needs compelling legal alternatives, giving consumers access to great content at the right price, to help change consumer behaviour”.

“Copyright defenders, including the British recorded music industry body BPI, have argued that illegal copies of films, books and music made available on file-sharing sites destroy creative industry jobs and discourage investment in new talent,” the ISP added.

The court order followed a ruling in February which established that TPB was infringing on copyright by providing a service that people use to unlawfully share copyrighted material.

TPB was not itself represented at the hearing that led to that ruling, but the judge, Mr Justice Arnold, argued that there was little point in trying to get the site’s proprietors into court when even the authorities in Sweden, TPB’s home country, had failed to do so.

Virgin Media was the first ISP to carry out the block ordered last week, but others covered by the same court order include Sky, Everything Everywhere, TalkTalk and O2. BT is not yet subject to the order as it has requested more time to assess the implications.

Source: http://www.zdnet.co.uk/blogs/communication-breakdown-10000030/pirate-bay-condemns-virgin-media-hack-10026118/

NEWS

The Serious Organised Crime Agency has taken its website offline due to a distributed denial-of-service attack.

By Tom Espiner, ZDNet UK, 3 May, 2012 15:02

The UK law enforcement agency asked its hosting provider to take the site down at approximately 22.00 on Wednesday, and the site was taken offline at around 22.30, a SOCA spokesman told ZDNet UK on Thursday. The site remained offline at the time of writing.

“The site was taken offline last night to limit the impact of a distributed denial-of-service attack (DDoS) against other clients hosted by our service provider,” the SOCA spokesman said. “The website only contains publically available information.”

The spokesman declined to say who the agency thought was behind the attack, but said it did not pose a security risk.

While website attacks are “inconvenient to visitors”, SOCA does not consider maintaining the necessary bandwidth to deal with DDoS a good use of taxpayers’ money, the SOCA spokesman said.

A Twitter news feed that claims links to the Anonymous hacking collective publicised the DDoS on Thursday, but did not claim responsibility.

“TANGO DOWN: DDoS attack takes down site of UK Serious Organised Crime Agency (SOCA),” said the @YourAnonNews feed.

The SOCA website was taken offline in June 2011, in an action that was claimed by LulzSec, a hacking group affiliated to Anonymous.

“What is surprising is that defence and intelligence levels have not been improved sufficiently since the last successful DDoS attack on SOCA in June 2011,” said Ovum analyst Andrew Kellett. “Hacktivist attacks targeting particular operations have been known to be both persistent and long-standing, requiring extensive DDoS defences.”

SOCA announced last week that it worked with the FBI to take down 36 websites used to sell stolen bank card data.

On Thursday Cabinet Office minister Francis Maude said that SOCA had “recovered nearly two million items of stolen payment card details since April 2011 worth approximately £300m to criminals” in a speech made in Estonia.

 

Source: http://www.zdnet.co.uk/news/security-threats/2012/05/03/soca-website-taken-down-in-ddos-attack-40155157/

There has already been much fallout from the recent massive release of information by the WikiLeaks organisation–including attacks on WikiLeaks itself by those angered by its actions that aimed to disrupt and discredit the organisation. This saw WikiLeaks targeted by a variety of sustained distributed denial of service (DDoS) attacks that aim to make its web presence inaccessible.

Although these attacks were seen to be relatively modest in size and not very sophisticated, the publicity that they received has served to raise awareness of the dangers of such attacks, which can be costly and time-consuming to defend against. DDoS attacks occur when a hacker uses large-scale computing resources, often using botnets, to bombard an organisation’s network with requests for information that overwhelm it and cause servers to crash. Many such attacks are launched against websites, causing them to be unavailable, which can lead to lost business and other costs of mitigating the attacks and restoring service.
DDoS attacks are actually extremely widespread. A recent survey commissioned by VeriSign found that 75% of respondents had experienced one or more attacks in the past 12 months. This is echoed in recent research published by Arbor Networks of 111 IP network operators worldwide, which showed that 69% of respondents had experienced at least one DDoS attack in the past year, and 25% had been hit by ten such attacks per month. According to Adversor, which offers services to protect against DDoS attacks, DDoS attacks now account for 4% of total internet traffic. Another provider of such services, Prolexic Technologies, estimates that there are 50,000 distinct DDoS attacks every week.

The research from Arbor Networks also shows that DDoS attacks are increasing in size, making them harder to defend against. It found that there has been a 102% increase in attack size over the past year, with attacks breaking the 100Gbps barrier for the first time. More attacks are also being seen against the application layer, which target the database server and cripple or corrupt the applications and underlying data needed to effectively run a business, according to Arbor’s chief scientist, Craig Labovitz. Among respondents to its survey, Arbor states that 77% detected application layer attacks in 2010, leading to increased operational expenditures, customer churn and revenue loss owing to the outages that ensue.

Measures that are commonly taken to defend against DDoS attacks include the use of on-premise intrusion detection and prevention systems by organisations, or the overprovisioning of bandwidth to prevent the attack taking down the network. Others use service providers, such as their internet service provider (ISP) or third-party anti-DDoS specialists, which tend to be carrier-agnostic, so not limited to the services offered by a particular ISP. The first two options are time-consuming and costly to manage by organisations and they need the capacity to deal with the massive-scale, stealthy application-layer attacks that are being seen.
With attacks increasing in size and stealthier application-layer attacks becoming more common, some attacks are now so big that they really need to be mitigated in the cloud before the exploit can reach an organisation’s network. ISPs and specialist third-party DDoS defence specialists monitor inbound traffic and when a potential DDoS attack is detected, the traffic is redirected to a scrubbing platform, based in the cloud. Here, the attack can be mitigated thus providing a clean pipe service–the service provider takes the bad traffic, cleans it and routes it back to the network in a manner that is transparent to the organisation.

Guarding against DDoS attacks is essential for many organisations and vital especially for those organisations with a large web presence, where an outage could cost them dearly in terms of lost business. DDoS attacks are becoming increasingly targeted and are no longer just affecting larger organisations. Rather, recent stories in the press have shown that organisations of all sizes are being attacked, ranging from small manufacturers of industry food processing equipment and machinery through to large gambling websites.
By subscribing to cloud-based DDoS mitigation services, organisations will benefit from a service that not only provides better protection against DDoS attacks than they could achieve by themselves, but can actually reduce the cost of doing so as the cost of hardware and maintenance for equipment required is spread across all subscribers to the service and organisations don’t need to over-provision bandwidth as the traffic is directed away from their networks. For protecting vital websites, subscribing to such a service is akin to taking out insurance for ensuring that website assets are protected, and the organisation can protect itself from the cost and reputational damage that can follow from a successful DDoS attack that renders services unavailable.

Source: http://www.computerweekly.com/blogs/Bloor-on-IT-security/2011/02/ddod-attacks-coming-to-a-network-near-you.html

User forum Whirlpool was hit by a distributed denial-of-service (DDoS) attack last night, according to the site’s hosting provider BulletProof Networks.

Although BulletProof Networks chief operating officer (COO) Lorenzo Modesto first said that Whirlpool was the only one of its customers to be affected by the attack, he said later that its public and private managed cloud customers were experiencing intermittent degraded network performance also.

“BulletProof customers have been kept in the loop throughout (per our standard procedures),” Modesto said.

Modesto added that BulletProof had discussed the issue with Whirlpool, resulting in the site being offline last night while the provider gathered more information. The site is back online this morning.

“We made the decision to bring Whirlpool back online in the early hours of this morning through one of our international [content distribution network points of presence] that are usually used to deliver local high-speed content to the offshore users of customers like Movember,” Modesto said.

“We’re continuing the forensics just in case they’re needed and are keeping an eye Whirlpool,” he added.

The attack had come from servers in the US and Korea, according to BulletProof.

“We’ve also been able to record server addresses and other relevant details and have escalated the source servers to the relevant providers in Korea and the US,” he said. “If we need to, we’ll pass all details onto the [Australian Federal Police] with whom we’ve built a good relationship, but we’ll see how this pans out for the moment.”.

This has not been the first DDoS attack to hit the popular site. Last June it experienced ten hours of downtime from a DDoS attack.

BulletProof Networks had also collected internet protocol addresses from that attack, but decided not to prosecute as a “sign of good will”, saying that DDoS was recognised more as a protest than a crime.

However, not all DDoS perpetrators have received the same treatment in the past. Recently Steven Slayo, who was part of the anonymous band which launched attacks against government sites last year over the government’s planned mandatory internet service provider level internet filter was taken to court over his actions.

He pleaded guilty, but escaped criminal conviction because the magistrate deemed him an “intelligent and gifted student whose future would be damaged by a criminal record”.

Source: http://www.zdnet.com.au/whirlpool-hit-by-ddos-attack-339308730.htm

The Wireshark development team has released version 1.2.14 and 1.4.3 of its open source, cross-platform network protocol analyser. According to the developers, the security updates address a high-risk vulnerability (CVE-2010-4538) that could allow a remote attacker to initiate a denial of service (DoS) attack or possibly execute arbitrary code on a victim’s system.

Affecting both the 1.2.x and 1.4.x branches of Wireshark, the issue is reportedly caused by a buffer overflow in ENTTEC (epan/dissectors/packet-enttec.c) – the vulnerability is said to be triggered by injecting a specially crafted ENTTEC DMX packet with Run Length Encoding (RLE) compression. A buffer overflow issue in MAC-LTE has also been resolved in both versions. In version 1.4.3, a vulnerability in the ASN.1 BER dissector that could have caused Wireshark to exit prematurely has been corrected.

All users are encouraged to upgrade to the latest versions. Alternatively, users that are unable to upgrade to the latest releases can disable the affected dissectors by selecting “Analyze”, then “Enabled Protocols” from the menu and un-checking “ENTTEC” and “MAC-LTE”.

More details about the updates, including a full list of changes, can be found in the 1.2.14 and 1.4.3 release notes. Wireshark binaries for Windows and Mac OS X, as well as the source code, are available to download and documentation is provided. Wireshark, formerly known as Ethereal, is licensed under version 2 of the GNU General Public Licence (GPLv2).

Source: http://www.h-online.com/open/news/item/Wireshark-updates-address-vulnerabilities-1168888.html