DDoS Defense Archive

There’s been a massive decrease in the amount of server hacks on Rainbow Six Siege since Ubisoft initiated a strategy to combat denial-of-services and distributed denial-of-service (DoS/DDoS) attacks. Taking a number of measures, including having less matches on each server and monitoring network traffic, has yielded considerable results, making the shooter much more stable.

In a report from Ubisoft, DoS/DDoS attacks are down 93% since many of the precautions outlined were taken. Ban waves have been introduced to detect perpetrators, servers now take on less than three matches each, punishment for quitting too many matches – a side-effect of players caught in an attack, known as the escalating abandon sanction – has been disabled, and there’s heightened network traffic monitoring.

Legal action against a number of offenders, and people hosting and offering the services behind these attacks, is being pursued. While anyone caught has been banned, the report states that “prominent” attackers and cheat-makers are the ones facing legal threat. Finally, Ubisoft are working with the Microsoft Azure team to develop broader solutions that will provide “a substantial impact on DDoS, DoS, Soft Booting, and server stressing.”

This plan was revealed back in September, when hacks had become regular enough to necessitate game-wide action. Cheating players were slowing matches down via manufactured lag in order to force opponents to quit. Such behavior spiked around the start of the Operation Ember Rise season.

The BBC interviewed one of the purveyors of these cheats a while back, who claimed top ranked players are among his customers. He made £1,500 a week from selling the hacks, and at the time said his work wasn’t detected by the game – odds are his methods are now ironed out.

Source: https://www.pcgamesn.com/rainbow-six-siege/protections

A number of South African internet service providers (ISPs) are limping away from a widespread distributed denial of service (DDoS) attack on Sunday.

According to a MyBroadband report, ISPs Afrihost, Axxess, and WebAfrica are all currently affected.


























As of Monday morning, both Afrihost and Axxess are still struggling with intermittent connectivity and poor network performance.

WebAfrica failed to provide an update.

It’s not yet clear when their services will be restored.

DDoS attacks in a nutshell

A DDoS attack inundates the target server with too many requests, slowing it down to a crawl and in some cases bringing it to a complete halt.

More famous attacks in the past include 2016’s DynDNS attack, which left a vast swathe of the internet inaccessible.

In the same year, the SABC was also a victim of an attack.

Reddit, the PlayStation Network and the now defunct Mt. Gox bitcoin exchange have all suffered similar attacks in the past.

The DDoS on these ISPs comes just days after Sabric (the SA Banking Risk Info Centre) announced that South Africa’s banks were hit by DDoS attacks of their own.

Source: https://memeburn.com/2019/10/ddos-attack-afrihost-axxess-south-africa/

Outages lasted for a full working day as the Route 53 DNS system was disrupted

Businesses were unable to service their customers for approximately eight hours yesterday after Amazon Web Services (AWS) servers were struck by a distributed denial-of-service (DDoS) attack.

After initially flagging DNS resolution errors, customers were informed that the Route 53 domain name system (DNS) was in the midst of an attack, according to statements from AWS Support circulating on social media.

From 6:30pm BST on Tuesday, a handful of customers suffered an outage to services while the attack persisted, lasting until approximately 2:30am on Wednesday morning, when services to the Route 53 DNS were restored. This was the equivalent of a full working day in some parts of the US.

“We are investigating reports of occasional DNS resolution errors. The AWS DNS servers are currently under a DDoS attack,” said a statement from AWS Support, circulated to customers and published across social media.

“Our DDoS mitigations are absorbing the vast majority of this traffic, but these mitigations are also flagging some legitimate customer queries at this time. We are actively working on additional mitigations, as well as tracking down the source of the attack to shut it down.”

The Route 53 system is a scalable DNS that AWS uses to give developers and businesses a method to route end users to internet applications by translating URLs into numeric IP addresses. This effectively connects users to infrastructure running in AWS, like EC2 instances, and S3 buckets.

During the attack, AWS advised customers to try to update the configuration of clients accessing S3 buckets to specify the region their bucket is in when making a request to mitigate the impact of the attack. SDK users were also asked to specify the region as part of the S3 configuration to ensure the endpoint name is region-specific.

Rather than infiltrating targeted software or devices, or exploiting vulnerabilities, a typical DDoS attack hinges on attackers bombarding a website or server with an excessive volume of access requests. This causes it to undergo service difficulties or go offline altogether.

All AWS services have been fully restored at the time of writing, however, the attack struck during a separate outage affecting Google Cloud Platform (GCP), although there’s no indication the two outages are connected.

From 12:30am GMT, GCP’s cloud networking system began experiencing issues in its US West region. Engineers then learned the issue had also affected a swathe of Google Cloud services, including Google Compute Engine, Cloud Memorystore, the Kubernetes Engine, Cloud Bigtable and Google Cloud Storage. All services were gradually repaired until they were fully restored by 4:30am GMT.

While outages on public cloud platforms are fairly common, they are rarely caused by DDoS attacks. Microsoft’s Azure and Office 365 services, for example, suffered a set of routine outages towards the end of last year and the beginning of 2019.

One instance includes a global incident with US government services and LinkedIn sustaining an authentication outage towards the end of January this year.

Source: https://www.cloudpro.co.uk/cloud-essentials/public-cloud/8276/aws-servers-hit-by-sustained-ddos-attack

Kaspersky honeypots – networks of virtual copies of various internet connected devices and applications – have detected 105 million attacks on IoT devices addresses in H1 2019.

Kaspersky honeypots – networks of virtual copies of various internet connected devices and applications – have detected 105 million attacks on IoT devices coming from 276,000 unique IP addresses in the first six months of the year. This figure is around nine times more than the number found in H1 2018, when only around 12 million attacks were spotted originating from 69,000 IP addresses. Capitalizing on weak security of IoT products, cybercrimanls are intenfsifying their attempts to create and monetize IoT botnets.This and other findings are a part of the ‘IoT: a malware story’ report on honeypot activity in H1 2019.

Cyberattacks on IoT devices are booming, as even though more and more people and organizations are purchasing ‘smart’ (network-connected and interactive) devices, such as routers or DVR security cameras, not everybody considers them worth protecting. Cybercriminals, however, are seeing more and more financial opportunities in exploiting such gadgets. They use networks of infected smart devices to conduct DDoS attacks or as a proxy for other types of malicious actions. To learn more about how such attacks work and how to prevent them, Kaspersky experts set up honeypots – decoy devices used to attract the attention of cybercriminals and analyze their activities. 

Based on data analysis collected from honeypots, attacks on IoT devices are usually not sophisticated, but stealth-like, as users might not even notice their devices are being exploited. The malware family behind 39% of attacks – Mirai – is capable of using exploits, meaning that these botnets can slip through old, unpatched vulnerabilities to the device and control it. Another technique is password brute-forcing, which is the chosen method of the second most widespread malware family in the list – Nyadrop. Nyadrop was seen in 38.57% of attacks and often serves as a Mirai downloader. This family has been trending as one of the most active threats for a couple of years now. The third most common botnet threatening smart devices – Gafgyt with 2.12% – also uses brute-forcing.

In addition, the researchers were able to locate the regions that became sources of infection most often in H1 2019. These are China, with 30% of all attacks taking place in this country, Brazil saw 19% and this is followed by Egypt (12%). A year ago, in H1 2018 the situation was different, with Brazil leading with 28%, China being second with 14% and Japan following with 11%.

“As people become more and more surrounded by smart devices, we are witnessing how IoT attacks are intensifying. Judging by the enlarged number of attacks and criminals’ persistency, we can say that IoT is a fruitful area for attackers that use even the most primitive methods, like guessing password and login combinations. This is much easier than most people think: the most common combinations by far are usually “support/support”, followed by “admin/admin”, “default/default”. It’s quite easy to change the default password, so we urge everyone to take this simple step towards securing your smart devices” – said Dan Demeter, security researcher at Kaspersky Lab.

To keep your devices safe, Kaspersky recommends users:

Install updates for the firmware you use as soon as possible. Once a vulnerability is found, it can be fixed through patches within updates.

Always change preinstalled passwords. Use complicated passwords that include both capital and lower case letters, numbers and symbols if it’s possible.

Reboot a device as soon as you think it’s acting strangely. It might help get rid of existing malware, but this doesn’t reduce the risk of getting another infection.

Keep access to IoT devices restricted by a local VPN, allowing you to access them from your “home” network, instead of publicly exposing them on the internet.

Kaspersky recommends companies to take the following measures:

Use threat data feeds to block network connections originating from malicious network addresses detected by security researchers. 

Make sure all devices software is up to date. Unpatched devices should be kept in a separate network inaccessible by unauthorised users.

Source: https://www.ameinfo.com/industry/technology/iot-more-than-100-million-attacks-on-smart-devices-h1-2019

The field of hacking is a rapidly evolving one. As cybersecurity defenders develop new means of detecting and protecting against cyberattacks, hackers also work to find ways to bypass these new defenses.

One way in which the field of hacking has dramatically changed is the emergence of the hacker service economy. In the beginning, hackers operated as “lone wolves”, carrying out hacking campaigns largely independently. Over time, hacking groups have emerged, and, recently, hackers have begun offering their services to other hackers or consumers. These services can range from specialist support for a certain portion of a cybercrime (like a phishing attack) to offering complete cyberattacks as a service.

The primary effects of this service-based hacking economy are a change in the hacker demographic and the types and number of threats observed in the wild. The ability to rent the services of hackers means that far less experienced players can enter the world of cybercrime, and the number and intensity of attacks against website security has dramatically increased. As a result, organizations need to take additional steps to protect themselves against cyberattacks that are becoming increasingly common and damaging.

The Modernization of Hacking

In the beginning, hacking was primarily a hobby. Technology nerds who knew a great deal about how computers worked would try breaking into different systems just to demonstrate that they could. While their actions were technically illegal, in general, they weren’t hacking to do damage, so the impact was minimal.

Over time, hacking changed from a (mostly) harmless hobby to one where hackers would steal sensitive information and hack into systems for profit. As the Internet became a part of daily life, more and more data was being placed there by individuals and organizations. This data can be valuable to a number of different parties on the black market (for use in further crimes), so hackers who managed to steal a collection of sensitive data could sell it and get paid for their troubles.

Originally, hackers worked alone, and an effective hacker needed to know a great deal about a lot of things and acted as a jack of all trades. Over time, hacking became more team-based, where a group of hackers could each specialize in a certain component of the hack and the team split the profits. This dramatically lowered the bar for entering the field of hacking, allowing it to grow, and laid the groundwork of the hacker service economy.

The Hacker Service Economy

A crucial step in the development of the modern economy was the emergence of role specialization. While it is certainly possible for an individual or a group to remain entirely self-sufficient, it is unlikely that they will be incredibly effective at doing so. Most people can be very good at one thing or fair to middling at many different things. Role specialization allowed individuals to develop expertise in a certain area and improved the overall quality of goods and services available to everyone. Unfortunately, the development of hacking has followed the example of the legitimate economy. The emergence of hacking groups and specializations has led to the creation of a hacker service-based economy. Specialists in a certain field can sell their services to other hackers or consumers.

One example of cybercrime as a service is the concept of a Distributed Denial of Service (DDoS) attack as a service. In a DDoS attack, a large number of computers under the control of a hacker attempt to overwhelm a victim’s website, making it unavailable to legitimate traffic. With the rise of the Internet of Things (IoT), which consists of a large number of insecure Internet-connected devices, and cloud computing, which allows individuals to lease computing power, building botnets to perform DDoS attacks has become easy and affordable. A DDoS attack can be performed for as little as $7 per hour, making it possible for a hacker to sell them affordably, even with a substantial markup.

An example of a service offered by hackers for hackers is the concept of combolists as a service. Combolists are collections of breached user credentials for various online services. In a combolists as a service offering, hackers can subscribe to receive lists of breached credentials on a regular basis. These credentials can then be used in credential stuffing attacks, where hackers try breached username/password combinations on different sites in the hope that a user used the same credentials on multiple sites.

Impacts on Website Security

Distributed Denial of Service and credential stuffing attacks have always posed a threat to website security. DDoS attacks can render a website inaccessible to legitimate users and credential stuffing attacks may allow an attacker to gain unauthorized access to a user’s account.

However, the rise of the hacker service economy has increased the threat that these attacks can pose to organizations’ websites. These services make it easier for an attacker to access the data and talent necessary to perform these attacks, lowering the bar to enter the space. Instead of these attacks primarily being focused on targets chosen by experienced hackers, anyone can buy and target an attack, making any organization vulnerable to a disgruntled employee or a dissatisfied customer.

As a result, organizations need to take action to protect their web resources from the types of attack commonly offered as a service by hackers. A DDoS protection solution and a bot detection & prevention solution capable of detecting credential stuffing attacks have become a crucial component of any organization’s cybersecurity strategy.

Source: https://smartereum.com/62423/at-your-service-inside-the-hacker-economy/