DoS Attacks Archive

Various implementations of HTTP/2, the latest version of the HTTP network protocol, have been found vulnerable to multiple security vulnerabilities affecting the most popular web server software, including Apache, Microsoft’s IIS, and NGINX.

Launched in May 2015, HTTP/2 has been designed for better security and improved online experience by speeding up page loads. Today, over hundreds of millions of websites, or some 40 percent of all the sites on the Internet, are running using HTTP/2 protocol.

A total of eight high-severity HTTP/2 vulnerabilities, seven discovered by Jonathan Looney of Netflix and one by Piotr Sikora of Google, exist due to resource exhaustion when handling malicious input, allowing a client to overload server’s queue management code.

The vulnerabilities can be exploited to launch Denial of Service (DoS) attacks against millions of online services and websites that are running on a web server with the vulnerable implementation of HTTP/2, knocking them offline for everyone.

The attack scenario, in layman’s terms, is that a malicious client asks a targeted vulnerable server to do something which generates a response, but then the client refuses to read the response, forcing it to consume excessive memory and CPU while processing requests.

“These flaws allow a small number of low bandwidth malicious sessions to prevent connection participants from doing additional work. These attacks are likely to exhaust resources such that other connections or processes on the same machine may also be impacted or crash,” Netflix explains in an advisory released Tuesday.

Most of the below-listed vulnerabilities work at the HTTP/2 transport layer:

  1. CVE-2019-9511 — HTTP/2 “Data Dribble”
  2. CVE-2019-9512 — HTTP/2 “Ping Flood”
  3. CVE-2019-9513 — HTTP/2 “Resource Loop”
  4. CVE-2019-9514 — HTTP/2 “Reset Flood”
  5. CVE-2019-9515 — HTTP/2 “Settings Flood”
  6. CVE-2019-9516 — HTTP/2 “0-Length Headers Leak”
  7. CVE-2017-9517 — HTTP/2 “Internal Data Buffering”
  8. CVE-2019-9518 — HTTP/2 “Request Data/Header Flood”

“Some are efficient enough that a single end-system could potentially cause havoc on multiple servers. Other attacks are less efficient; however, even less efficient attacks can open the door for DDoS attacks which are difficult to detect and block,” the advisory states.

However, it should be noted that the vulnerabilities can only be used to cause a DoS condition and do not allow attackers to compromise the confidentiality or integrity of the data contained within the vulnerable servers.

Netflix security team, who teamed up with Google and CERT Coordination Center to disclose the reported HTTP/2 flaws, discovered seven out of eight vulnerabilities in several HTTP/2 server implementations in May 2019 and responsibly reported them to each of the affected vendors and maintainers.

According to CERT, affected vendors include NGINX, Apache, H2O, Nghttp2, Microsoft (IIS), Cloudflare, Akamai, Apple (SwiftNIO), Amazon, Facebook (Proxygen), Node.js, and Envoy proxy, many of which have already released security patches and advisories.

Source: https://thehackernews.com/2019/08/http2-dos-vulnerability.html

Popular chat service Discord experienced issues today due to network problems at Cloudflare and a wider internet issue. The app was inaccessible for its millions of users, and even Discord’s website and status pages were struggling. Discord’s problems could be traced to an outage at Cloudflare, a content delivery network. Cloudflare started experiencing issues at 7:43AM ET, and this caused Discord, Feedly, Crunchyroll, and many other sites that rely on its services to have partial outages.

Cloudflare says it’s working on a “possible route leak” affecting some of its network, but services like Discord have been inaccessible for nearly 45 minutes now. “Discord is affected by the general internet outage,” says a Discord statement on the company’s status site. “Hang tight. Pet your cats.”

“This leak is impacting many internet services including Cloudflare,” says a Cloudflare spokesperson. “We are continuing to work with the network provider that created this route leak to remove it.” Cloudflare doesn’t name the network involved, but Verizon is also experiencing widespread issues across the East Coast of the US this morning. Cloudflare notes that “the network responsible for the route leak has now fixed the issue,” so services should start to return to normal shortly.

Cloudfare explained the outage in an additional statement, commenting that “Earlier today, a widespread BGP routing leak affected a number of Internet services and a portion of traffic to Cloudflare. All of Cloudflare’s systems continued to run normally, but traffic wasn’t getting to us for a portion of our domains. At this point, the network outage has been fixed and traffic levels are returning to normal.”

Source: https://www.theverge.com/2019/6/24/18715308/discord-down-outage-cloudflare-problems-crunchyroll-feedly

Many companies underestimate the threat of DDoS, but 5G’s faster speeds and greater mobility will undoubtedly make attacks even more destructive.

When Airbnb, Netflix, GitHub, Twitter, CNN, Spotify, Reddit, and many other websites became fully or partially unavailable in October 2016, millions of users found it a mild nuisance. But for DNS provider Dyn, which was on the receiving end of massive DDoS attacks fuelled by a gigantic botnet, it caused mayhem.

This DDoS attack made it clear that cybercriminals are making bold moves that can potentially bring down the internet.

Fast forward to 2020: the impending deployment of 5G gives attackers more firepower than ever by creating easily exploitable targets they can enlist into botnets that overpower traditional DDoS defenses.

Along with experts’ warnings, available data highlights this trend. The ENISA Threat Landscape Report 2018 confirms that DDoS attacks are continuously evolving:

  • Close to 45% of DDoS attacks lasted for over 90 minutes while 4.62% of them persisted for 20+ hours
  • The average DDoS attack went on for 318.10 minutes, while the longest one continued for a stupefying six days, five hours, and 22 minutes
  • The first terabit DDoS was recorded in 2018 against GitHub (1.35Tbps), shortly followed by another one targeting Arbor Networks (1.7Tbs).

DDoS attacks have been around for 20 years, but the current tech environment is fuelling a renewed interest for them, with 5G set to play a fundamental role.

Factors that favour massive DDoS attacks in the 5G era

Security specialists cannot afford to overlook the appeal that 5G has to cybercriminals looking to make a hefty payday. Here are the factors that makes it easy for them to launch destructive DDoS attacks that put businesses at risk of complete shutdown.

1. Innovation outpaces the ability to secure it

The gap between adopting new tech and properly securing it is becoming steeper, and issue that regains prominence as 5G and AI has become a business reality.

Cybersecurity has moved from cost to necessity, but most decision makers haven’t made it a board-level priority, and attackers are fully aware of that.

2. DDoS for hire is cheaper than ever before

The cybercrime economy makes services like DDoS for hire prevalent and easily accessible. A 24-hour DDoS attack against a single target can cost as little as US$ 400. Access to cheap bots is significantly damaging to internet service providers (ISPs), as the average cost of such an attack rose to US$ 2.5 million in 2017.

3. 5G brings hyperconnectivity and expands the attack surface

While 5G has tremendous potential for growth and innovation, it comes with a huge caveat. Connecting more devices faster inevitably leads to an influx of malicious traffic. Attackers will exploit poorly secured devices and use the millions of leaked (and reused) credentials to build botnets that make Mirai look like a proof-of-concept.

The biggest risk is that large-scale DDoS attacks take down financial institutions and critical infrastructure. Thus, DDoS mitigation that can cope with attacks in the range of terabits becomes a crucial necessity.

4. Insufficient resources to tackle imminent dangers

CISOs already struggle to get resources to handle current threats while business leaders push for 5G adoption. Meanwhile, cybercriminals will take the opportunity to exploit higher capacity bandwidth that 5G provides to launch attacks on an unprecedented scale.

The companies must accept the responsibility for DDoS mitigation with consolidated security. Many companies underestimate the threat of DDoS, but 5G’s faster speeds and greater mobility will undoubtedly make attacks even more destructive. Business and security leaders must make a conscious decision to prioritize anti-DDoS measures.

By adopting custom-built solutions designed specifically to detect and defeat DDoS attacks, businesses can keep operations running smoothly. Moving focus from on-premise hardware firewalls to choosing a globally distributed network of scrubbing centers with unrivaled mitigation capacity may be a winning card in the Anti-DDoS battle.

Network operators must scrupulously monitor anomalous activity, access, and traffic patterns to curb large DDoS attacks.

CSPs must consider high-volume DDoS mitigation services and combine them with deep packet inspection (DPI) that doesn’t impact legitimate traffic or streaming quality.

It’s important to keep in mind that, once 5G is deployed, companies and individual users alike expect flawless connectivity and network performance, along with uncompromised security and privacy. In the coming years, balancing service quality with security is what will set visionary CSPs apart from the rest.

Source: https://www.scmagazineuk.com/security-concerns-5g-era-networks-ready-massive-ddos-attacks/article/1584554

The development of the telecommunications infrastructure in Central Asia has increased the online presence of the region dramatically. It has also exposed cybercrime weaknesses. Unfortunately, there has been little education and development of regional expertise around the dangers of information technology. Central Asia as a whole is now facing a growing threat from attacks by cyber-criminal gangs.

2018 digital use in Central Asia 

Responding to this increasing threat governments in the region have made it a priority to protect their countries online data. In a September 2017 speech to the Kazakh Majlis President Nursultan Nazarbaev stated,

“In the last three years alone, the volume of illegal online content has increased 40-fold. This means that we need a reliable cyber-shield for Kazakhstan. We cannot put off the creation of [this shield], we must protect the interests of our country, our culture and our values,”

Currently, only Uzbekistan, Kazakhstan and Kyrgyzstan have made significant inroads into this arena.  All three have engaged in the development of comprehensive legal and regulatory frameworks for cybersecurity. Moreover, they have established and adopted “kontseptsiya” or concept papers for the creation of national cybersecurity strategies’. One example of this being the successful Kazakhstan Cyber Shield. They have also formed Computer Emergency Response Teams or CERTs (CERT-KZ, UZ-CERT, CERT.KG. ).

Additionally, Uzbekistan and Kazakhstan have created dedicated cyber programs at national universities with the intention of training information and cyber experts on domestic CERT agencies. Both governments are now capable of repelling the majority of daily cyber attacks that occur. As Ruslan Abdikalikov, Deputy Chairman of the Committee for Information Security of the Ministry of Defence and Aerospace Industry of Kazakhstan stated at the 2018 SOC-FORUM conference,

“Cyber attacks are fixed every second and their number is growing. We fixed 1 billion of such attacks in 2016. There were 20bn attacks on Kazakhstan last year, on the state information structures. Nobody knows how many attacks business faces. The attacks on the Government increased by 20 times over the past year […] but we protect ourselves from them.”

Cybercrime and Hackmail

Central Asia currently has one of the highest global rates of cyber-criminal activities. This comes despite efforts improving the region’s capacity to deal with cyber attacks or cyber terrorism. Kazakhstan, thanks to its attractive financial situation and high number of internet users, has faced significant issues with cybercrime.  Statistics indicate that it has had the highest rate of cyber infiltration in Central Asia since 2010. At the same time, 85% of internet users have been compromised. In the past year alone, the Kazakh National Security Committee (KNB) announced that 63,000 attacks have occurred. This shows an increase of 38,000 since 2017.

Zeroing in on Kazakhstan’s financial sector, cyber-criminals have not just hacked accounts, but also bank machines and payment terminals. The lion’s share of the attacks has consisted of viruses and phishing attacks. These compromise devices to either generate spam or participate in Distributed Denial of Service (DDoS) attacks. Cyber-criminals have also used compromised machines to launch DDoS attacks. These typically demand that the victim pay a ransom for the attack to stop.

A prime example was Kazakhstan’s Alfa-Bank in 2017. According to Alfa-Bank IT specialist Yevgeny Nozikov, the hackers sought their reward in the form of a ransom. The bank had to pay a sum, in exchange for the hackers to unblock the IT systems. In another case of cyber extortion in March 2012, the owner of a Kyrgyz entertainment website suffered several days of DDoS attacks. A hacker sent a blackmail message warning that the attacks would continue if the owner chose not to pay.

Kyrgyzstan’s 24.kg news agency also noted that the country experiences high amounts of commercial cyber attacks. According to sources, 776 websites belonging to various commercial companies, individuals and government agencies had been hacked in 2017.

What experts say

On average, 20 websites are successfully hacked every five days in the country, while every tenth website is hacked repeatedly. Government officials and cyber-experts throughout Central Asia argue that this is due to the lack of awareness of cybersecurity in the general public.

This point was reiterated by the Kaspersky Lab Cybersecurity Index. The Index demonstrates that in countries like Kazakhstan and Uzbekistan, many users not particularly concerned about the need for any protective cyber measures. As Laziz Buranov, a department head from Uzbekistan’s Information Security Centre (TsOIB), explained to Caravansei,

“Last year, 493 .uz domain sites were subjected to hacker attacks. They were hacked for various reasons. In the majority of cases, the site owners themselves were at fault — they […] used infected and vulnerable software.”

According to Kaspersky Labs many private users and businesses in Kazakhstan and Uzbekistan even utilise pirated software such as unprotected copies of old Windows operating systems for their online activities. Thereby placing at risk all online activities, thanks to the lack of information technology expertise and cybersecurity in the public domain. This lack of expertise means that Central Asia as a whole is extremely attractive to cyber-criminals gangs who view these weaknesses as an invitation to stay.

Is Central Asia a CyberCrime Haven?

In Kazakhstan during the past two years, the criminal cyber gang Cobalt has established itself thanks to the lack of cybersecurity. According to Arman Abdrasilov, Director at TsARKA,  the Astana-based Center for Cyberattack Analysis and Research, Kazakh security experts have seen a rise in the number of domestic computers being hijacked by Cobalt malware. They point to the use of hacked Kazakh servers in the 2016 attack on the Bangladesh Bank. The attack resulted in $81 million worth of loss. This evidence demonstrates the criminal gang has set up shop in Central Asia.

Emerging in 2013, Cobalt is “One of the world’s most dangerous hacker groups […] which specializes in hacking into bank accounts,” stated Abdrasilov. The group first targetedRussian banks with phishing emails. These emails contained programmes that would enable them to gain access to password-protected archives. In turn, this gave them remote access to ATMs, which would then deliver cash to waiting accomplices. Since 2017, the group has branched out from Eastern Europe and Southeast Asia to Europe and North America. According to Europol, Cobalt has attacked banks in 40 countries and caused losses of more than $1.1 billion.

In Central Asia, cybercrime poses a significant risk to banking and financial institutions. Lack of knowledge, expertise and protective procedural training among employees make them vulnerable to attacks like those mentioned above. Authorities are yet to get a handle on dealing with these crimes. Governments are struggling to respond to the attacks. In Kazakhstan, for example, only 3% of online crimes are ever prosecuted.

Risks are Significant

Like a dog chasing its own tail, Central Asian governments are at something of an impasse with their cyber-readiness. While rapidly trying to catch up to the fast-paced global cyber environment, governments have focused heavily on the state IT infrastructure. They have not allocated enough time to educate or develop IT and cyber-knowledge in the general population. While the state apparatus is cyber-ready, the general public is still vulnerable to cybercrimes.

To redress this issue, the governments of the region should look beyond their borders for expertise in developing nation-wide cybersecurity information awareness programmes and domestic information technology specialists. Allies like Russia and China could provide these, as both are regarded at the forefront of cybersecurity. However, engaging help from their usual partner states is also fraught with danger in the current international climate. Both China and Russia are in an expansionist phase. They are utilising any opportunity that may arise to help them advance their own foreign agenda, as illustrated in Ukraine and the South China Sea. This leaves Central Asian countries little option but to develop domestic expertise from other sources, like America and India.

The problem here is that it will take time to develop expertise on a domestic level. Training information technology specialist and cybersecurity experts is an intensive task. Countries like Uzbekistan are now seeking to redress this issue and are implementing programs to right this crucial flaw in their cyber-readiness. It will be several years before these students are cyber-ready. Countries like Kazakhstan, though, are still attracting cyber-criminals at an increasing pace due to the lack of general cybersecurity infrastructure and knowledge at a grassroots level.

Once established, it can be difficult to remove cyber-criminal gangs without allocating significant resources to the task. These are resources the region does not yet possess. While many Central Asian governments are trying to fast track their cyber-readiness, the rapid evolution of malware and cyber threats means they are currently well behind in meeting this threat and will be for the foreseeable future.

Source: https://globalriskinsights.com/2019/04/central-asia-cybercrime-land/

DDoS attacks sized 100Gbps and higher exploded in Q1 2019, with 77% of all attacks targeting two or more vectors.

Distributed Denial of Service (DDoS) attacks are increasing in size and frequency, as multi-vector exploits become more of the norm in hacker’s efforts to distract and confuse security teams, while damaging their businesses, according to a Wednesday report from Neustar Research.

Attacks sized 100Gbps and higher increased by 967% in Q1 2019 compared to Q1 2018, the report found. The largest attack measured—587Gbps—was more than 70% larger than the biggest attack in the same period in 2018 (345Gbps).

While the largest DDoS attacks experienced the most growth, smaller attacks also increased exponentially, according to the report. Attacks under 5Gbps increased by 257% in the last year.

This year’s attacks use a variety of ports and protocols to locate and exploit vulnerabilities, and change their form over the course of the attack, the report noted. More than three-quarters (77%) of attacks in Q1 2019 targeted two or more vectors, and 51% targeted three or more, the report found.

Targeted subnets and classless inter-domain routing (CIDR) blocks to slow or stop network traffic was one highly disruptive DDoS threat, according to the report.

While a number of tools on the market can help businesses ward off these attacks, none can replace the effectiveness of having cybersecurity professionals on staff, the report noted.

“Today’s artificial intelligence and machine learning technologies enable us to identify anomalous traffic and patterns, correlate data across systems, and perform behavioral analytics on users and entities, said Rodney Joffe, Neustar Senior Vice President, Technologist and Fellow. “But none of these systems function without professionals who know how to deploy them, interpret their data, identify the existence and location of problems, and mitigate them.”

Source: https://www.techrepublic.com/article/major-ddos-attacks-increased-967-this-year/