DoS Attacks Archive

Could face six years’ porridge

By Carly Page
Thu May 10 2012, 10:58
TWO NORWEGIAN TEENAGERS have been arrested on suspicion of carrying out online attacks, including one on the UK Serious Organised Crime Agency (SOCA) web site.The 18 and 19 year-olds have been arrested by Norway’s National Criminal Investigation Service (NCIS) for suspected involvement in a number of distributed denial of service (DDoS) attacks, including last week’s attack on the SOCA web site.

“We have arrested the two we think are most important in these attacks, but we still want to talk to more people,” said NCIS prosecutor Erik Moestue.

The agency did not specifically refer to any particular attack, but Moestue added that the attack on SOCA was one of the attacks it is investigating.

He said, “We know SOCA was recently attacked, as well as Norwegian and American sites, and that is one of the things that we are looking into.”

The country’s largest financial services group, its police security service and national lottery recently have been hit by DDoS attacks.

If found guilty of the offence under Norwegian law the two could face maximum six year jail sentences.

No further details were given regarding the two youths’ identities or group affiliations, but F-Secure analyst Sean Sullivan said he thought it unlikely that they are affiliated with the Anonymous hacktivist collective.

“Doesn’t really sound like Anonymous or copycats to us. It also doesn’t seem to have been for the ‘lulz’ based on the current information,” Sullivan told The INQUIRER.

SOCA was unavailable for comment at the time of writing.

Source: http://www.theinquirer.net/inquirer/news/2173752/teens-arrested-following-soca-attack

Guest post written by Jonathan Lewis

5/08/2012 @ 10:02PM

As cyber security moves from a purely technical issue to a major business concern, CIOs are faced with the thorny problem of how to best protect their company without over-spending on security.  Security is about protecting confidentiality, integrity and network availability. Thus far, security spending has largely been focused on confidentiality and integrity with relatively little spending on protecting network availability. Research shows that it’s time for this approach to change.

Loss of data center availability due to Distributed Denial of Service (DDoS) attacks has emerged as one of the most prevalent and costly forms of cybercrime. Motivations include extortion, revenge and competitive advantage, as well as a recent explosion of politically motivated attacks, also known as “hacktivism.”

The means to carry out sophisticated and effective attacks are within easy reach of anyone with a PC and an Internet connection. Do-it-yourself DDoS attack tools are readily available and easy to use. Botnets for rent and DDoS attack services are available to anyone with as little as $50 and a grudge. A quick search on YouTube for “DDoS Service” shows how openly these attack services are being sold. As a result, enterprises and service providers are experiencing attacks on their data centers more often and with more severe business consequences than ever before.

The goal of the attacker is to prevent a data center from performing its core function – whether that be transacting e-commerce; delivering e-mail or voice services; providing DNS services; serving up Web content delivery; hosting games; and so on. Because the attacker is trying to create maximum disruption, attacks are most likely to occur at the worst possible time for the victim. For example, online retailers are especially vulnerable during the peak shopping period between Thanksgiving and Christmas and especially on Cyber Monday.

CIOs should take a proactive approach for incorporating the DDoS threat into security and business continuity planning. The steps are straightforward. First, gain an understanding of the cost of service outages. In other words, determine what the hourly cost will be to your business if the data center is down or disabled due to an attack. Second, understand the probability that your business will be attacked and experience service outages. Lastly, take a risk management approach and consider the business impact of extended outages (i.e. 24 hours or more), weighing the expected costs/risks against the cost of investing in DDoS protection to ensure service availability.

The hourly cost of downtime will be unique to your business but generally comprises the following elements:

  • Operations: What is the number of IT personnel that will be tied up addressing the attack and what is the hourly cost of that?
  • Help Desk: If systems are shut down, how many help desk calls will be received and what is the cost per call?
  • Recovery: How much manual work will be required to re-enter transactions?
  • Lost Worker Output: What is the level of employee output lost to downtime and the costs associated with that?
  • Lost Business: How much business will be lost for every hour the network is down?
  • Lost Customers: How many existing customers will defect to the competition? What is the lifetime value of these customers?
  • Penalties: How much will it cost in terms of service level agreement (SLA) credits or other penalties?
  • Lost Future Business: How much will your ability to attract new customers be affected? What is the full value of that lost business?
  • Brand and Reputation Damage: What is the cost to the company in terms of brand value?

Compare your results to industry averages. The Ponemon Institute surveyed 41 business managers from 16 different industry segments on the costs their operations had incurred due to unplanned data center outages. The hourly cost of downtime ranged from $8,500 to $210,000 per 1000 square feet of data center space in operation. Financial services and online commerce showed the highest costs per hour.

Next, consider the risk of attack. If your business has already been a victim of DDoS, the likelihood of subsequent attacks is high – you are already a target. Even if you have not been attacked before there is still substantial risk. Once again, industry averages provide helpful guidance for risk planning. The most recent figures indicate expected annual downtime due to DDoS for an average data center is about 12 hours.

Combining the expected annual downtime with the hourly cost of downtime provides a good guideline as to the annual cost (or “annual loss expectancy”) your business is likely to incur if you do not deploy effective DDoS protection. However, this does not provide the complete picture. There is the question of managing risk. DDoS attacks can bring down or seriously degrade services for days at a time. While the average expected annual outage time is about 12 hours, there is a smaller but real risk of extended downtime from DDoS. Outages of 24 hours and more are not uncommon. Thus DDoS should figure into business continuity planning much in the same way as fire and natural disaster do. In short, while the annual loss expectancy due to DDoS is an important economic consideration, it may be even more important to protect the business from catastrophic loss if it can be done at a cost that is both manageable and predictable.

DDoS attacks are trending upward in frequency, size, duration and effectiveness. The good news is that there are solutions available that can prevent these attacks from bringing down data center services. CIOs who understand the economic value of data center services to their business, and who are aware of costs associated with DDoS threat, are well positioned to make the right business decisions with regard to investments in network availability protection.

 

Source: http://www.forbes.com/sites/ciocentral/2012/05/08/figuring-ddos-attack-risks-into-it-security-budgets/

There has already been much fallout from the recent massive release of information by the WikiLeaks organisation–including attacks on WikiLeaks itself by those angered by its actions that aimed to disrupt and discredit the organisation. This saw WikiLeaks targeted by a variety of sustained distributed denial of service (DDoS) attacks that aim to make its web presence inaccessible.

Although these attacks were seen to be relatively modest in size and not very sophisticated, the publicity that they received has served to raise awareness of the dangers of such attacks, which can be costly and time-consuming to defend against. DDoS attacks occur when a hacker uses large-scale computing resources, often using botnets, to bombard an organisation’s network with requests for information that overwhelm it and cause servers to crash. Many such attacks are launched against websites, causing them to be unavailable, which can lead to lost business and other costs of mitigating the attacks and restoring service.
DDoS attacks are actually extremely widespread. A recent survey commissioned by VeriSign found that 75% of respondents had experienced one or more attacks in the past 12 months. This is echoed in recent research published by Arbor Networks of 111 IP network operators worldwide, which showed that 69% of respondents had experienced at least one DDoS attack in the past year, and 25% had been hit by ten such attacks per month. According to Adversor, which offers services to protect against DDoS attacks, DDoS attacks now account for 4% of total internet traffic. Another provider of such services, Prolexic Technologies, estimates that there are 50,000 distinct DDoS attacks every week.

The research from Arbor Networks also shows that DDoS attacks are increasing in size, making them harder to defend against. It found that there has been a 102% increase in attack size over the past year, with attacks breaking the 100Gbps barrier for the first time. More attacks are also being seen against the application layer, which target the database server and cripple or corrupt the applications and underlying data needed to effectively run a business, according to Arbor’s chief scientist, Craig Labovitz. Among respondents to its survey, Arbor states that 77% detected application layer attacks in 2010, leading to increased operational expenditures, customer churn and revenue loss owing to the outages that ensue.

Measures that are commonly taken to defend against DDoS attacks include the use of on-premise intrusion detection and prevention systems by organisations, or the overprovisioning of bandwidth to prevent the attack taking down the network. Others use service providers, such as their internet service provider (ISP) or third-party anti-DDoS specialists, which tend to be carrier-agnostic, so not limited to the services offered by a particular ISP. The first two options are time-consuming and costly to manage by organisations and they need the capacity to deal with the massive-scale, stealthy application-layer attacks that are being seen.
With attacks increasing in size and stealthier application-layer attacks becoming more common, some attacks are now so big that they really need to be mitigated in the cloud before the exploit can reach an organisation’s network. ISPs and specialist third-party DDoS defence specialists monitor inbound traffic and when a potential DDoS attack is detected, the traffic is redirected to a scrubbing platform, based in the cloud. Here, the attack can be mitigated thus providing a clean pipe service–the service provider takes the bad traffic, cleans it and routes it back to the network in a manner that is transparent to the organisation.

Guarding against DDoS attacks is essential for many organisations and vital especially for those organisations with a large web presence, where an outage could cost them dearly in terms of lost business. DDoS attacks are becoming increasingly targeted and are no longer just affecting larger organisations. Rather, recent stories in the press have shown that organisations of all sizes are being attacked, ranging from small manufacturers of industry food processing equipment and machinery through to large gambling websites.
By subscribing to cloud-based DDoS mitigation services, organisations will benefit from a service that not only provides better protection against DDoS attacks than they could achieve by themselves, but can actually reduce the cost of doing so as the cost of hardware and maintenance for equipment required is spread across all subscribers to the service and organisations don’t need to over-provision bandwidth as the traffic is directed away from their networks. For protecting vital websites, subscribing to such a service is akin to taking out insurance for ensuring that website assets are protected, and the organisation can protect itself from the cost and reputational damage that can follow from a successful DDoS attack that renders services unavailable.

Source: http://www.computerweekly.com/blogs/Bloor-on-IT-security/2011/02/ddod-attacks-coming-to-a-network-near-you.html

User forum Whirlpool was hit by a distributed denial-of-service (DDoS) attack last night, according to the site’s hosting provider BulletProof Networks.

Although BulletProof Networks chief operating officer (COO) Lorenzo Modesto first said that Whirlpool was the only one of its customers to be affected by the attack, he said later that its public and private managed cloud customers were experiencing intermittent degraded network performance also.

“BulletProof customers have been kept in the loop throughout (per our standard procedures),” Modesto said.

Modesto added that BulletProof had discussed the issue with Whirlpool, resulting in the site being offline last night while the provider gathered more information. The site is back online this morning.

“We made the decision to bring Whirlpool back online in the early hours of this morning through one of our international [content distribution network points of presence] that are usually used to deliver local high-speed content to the offshore users of customers like Movember,” Modesto said.

“We’re continuing the forensics just in case they’re needed and are keeping an eye Whirlpool,” he added.

The attack had come from servers in the US and Korea, according to BulletProof.

“We’ve also been able to record server addresses and other relevant details and have escalated the source servers to the relevant providers in Korea and the US,” he said. “If we need to, we’ll pass all details onto the [Australian Federal Police] with whom we’ve built a good relationship, but we’ll see how this pans out for the moment.”.

This has not been the first DDoS attack to hit the popular site. Last June it experienced ten hours of downtime from a DDoS attack.

BulletProof Networks had also collected internet protocol addresses from that attack, but decided not to prosecute as a “sign of good will”, saying that DDoS was recognised more as a protest than a crime.

However, not all DDoS perpetrators have received the same treatment in the past. Recently Steven Slayo, who was part of the anonymous band which launched attacks against government sites last year over the government’s planned mandatory internet service provider level internet filter was taken to court over his actions.

He pleaded guilty, but escaped criminal conviction because the magistrate deemed him an “intelligent and gifted student whose future would be damaged by a criminal record”.

Source: http://www.zdnet.com.au/whirlpool-hit-by-ddos-attack-339308730.htm

The Wireshark development team has released version 1.2.14 and 1.4.3 of its open source, cross-platform network protocol analyser. According to the developers, the security updates address a high-risk vulnerability (CVE-2010-4538) that could allow a remote attacker to initiate a denial of service (DoS) attack or possibly execute arbitrary code on a victim’s system.

Affecting both the 1.2.x and 1.4.x branches of Wireshark, the issue is reportedly caused by a buffer overflow in ENTTEC (epan/dissectors/packet-enttec.c) – the vulnerability is said to be triggered by injecting a specially crafted ENTTEC DMX packet with Run Length Encoding (RLE) compression. A buffer overflow issue in MAC-LTE has also been resolved in both versions. In version 1.4.3, a vulnerability in the ASN.1 BER dissector that could have caused Wireshark to exit prematurely has been corrected.

All users are encouraged to upgrade to the latest versions. Alternatively, users that are unable to upgrade to the latest releases can disable the affected dissectors by selecting “Analyze”, then “Enabled Protocols” from the menu and un-checking “ENTTEC” and “MAC-LTE”.

More details about the updates, including a full list of changes, can be found in the 1.2.14 and 1.4.3 release notes. Wireshark binaries for Windows and Mac OS X, as well as the source code, are available to download and documentation is provided. Wireshark, formerly known as Ethereal, is licensed under version 2 of the GNU General Public Licence (GPLv2).

Source: http://www.h-online.com/open/news/item/Wireshark-updates-address-vulnerabilities-1168888.html