DoS Attacks Archive

The leaves may change color, but the roots are the same. Are you ready for AI-based DDoS attacks?

What keeps me awake at night is the thought of artificial intelligence lying in wait in the hands of bad actors. Artificial intelligence combined with the powers of IoT-based attacks will create an environment tapped for mayhem. It is easy to write about, but it is hard for security professionals to combat. AI has more force, severity, and fatality which can change the face of a network and application in seconds.

When I think of the capabilities artificial intelligence has in the world of cybersecurity I know that unless we prepare well we will be like Bambi walking in the woods. The time is now to prepare for the unknown. Security professionals must examine the classical defense mechanisms in place to determine if they can withstand an attack based on artificial intelligence.

Fail to prepare, prepare to fail

The arrival of new technologies comes with an abundance of security threats. New products are released to cover the inadequacies in protocols. With today’s attack surface, no one can ever be fully secure. Being almost secure is good enough for most and security teams work on the basis that it’s not a matter of if, it’s a matter of when.

There are well-known mechanisms to combat distributed denial of service (DDoS) attacks. We can spread the perimeter, offload to a scrubbing center, and tackle the problem head-on. Then along came IoT-based attacks that raised the bar causing respectable networks to fall flat. However, there is only so much bandwidth out there and the headlines are often worse than the capabilities.

What I haven’t heard too much about is the repercussions of artificial intelligence in the hands of bad actors. A combination that will inevitably unlock a more powerful form of DDoS attack. A machine does not stop, get tired, lose concentration or panic. AI-based attacks keep their cool maintaining constant momentum while under pressure from defense mechanisms.

The only way to fight a machine is with another machine. Any other way is useless. Unless you want to be left blindfolded, security professionals must look to introduce artificial intelligence on the defense side and not rely on traditional defense mechanisms. An AI-based defense comes in two flavors, unsupervised learning, and supervised machine learning systems. Unsupervised learning being the superior defense mechanism of the two. L7Defense is a pioneer in the ability to defend from attacks in real-time using unsupervised machine learning.

From scripts with loops to automated AI-based attacks

Did you know the first DoS attack was carried out in 1974? It went mainstream with Classical Bots that started in the early 2000’s and consisted of a manual Denial of Service (DoS) approach. Essentially, DoS is when a bad actor sends traffic to overwhelm a system. Back then, they were pretty basic. Even if tools were not readily available those with medium technicality could carry out an attack. A single machine would send a single attacking signature. The automation was essentially done by manual keyboard entries.

This proved to be inefficient and bad actors quickly moved from manual to semi-manual. For example, this may include a simple script combined with a number of loops enabling a level of automation. However, we still only had a limited number of attacking signatures that were preconfigured in the script and only one IP source was used. The attack surface and vectors used were limited.

We then moved into a semi-automated wave consisting of multiple attacking IP sources. The introduction of command & control (C&C) servers presented a new shift in DoS, known as distributed denial of service (DDoS). C&C servers are centralized machines controlled by bad actors that are able to send commands and receive outputs. The C&C servers were not sophisticated, but they could control a number of infected end host computers, spreading the attack source. These infected computers were known as botnets.

The botnets would receive predefined commands from the C&C servers and carry out a set pattern of attack signatures. The signatures were set in stone regardless of how well the defense side was doing. The botnets were still static because the C&C Servers issue similar commands to each of them. The scale of the attack increased but the intelligence didn’t. We experienced more spread and a larger attacking surface but with the same intelligence.

Malware automation

The major turning point in the evolution of DDoS came with the automatic spreading of malware. Malware is a phrase you hear a lot of and is a term used to describe malicious software. The automatic spreading of malware represented the major route for automation and marked the first phase of fully automated DDoS attacks. Now, we could increase the distribution and schedule attacks without human intervention. Malware could automatically infect thousands of hosts and apply laterally movement techniques infecting one network segment to another. Moving from network segments is known as beacheading and malware could beachhead from one part of the world to another.

There was still one drawback. And for the bad actor, it was a major drawback. The environment was still static, never dynamically changing signatures based on responses from the defense side. The botnets were not variable by behavior. They were ordered by the C&C servers to sleep and wake up with no mind for themselves.

As I said, there is only so much bandwidth out there. So, these type of network attacks started to become less effective. Bad actors started to side step a little and target the application layer instead of the network infrastructure. Reflection style attacks started to appear along with its enhancement known as the amplification. Distributed reflection denial of service attacks was the worse at that time. Reflection attacks are used to abuse user datagram protocol (UDP) services. UDP by design is connectionless in which the receiver does not validate the IP of the source. This is the address of the client requesting a service. The lack of validation makes it possible for someone to pretend to be you using your IP as the source, known as IP spoofing.

Unknowingly the legitimate source that has it’s IP address spoofed is overwhelmed when the UDP server sends back requests. The UDP server is essentially acting as the reflector hiding the identity of the bad actor. Amplification exploits the fact that the size of responses is generally much larger than the size of server requests. A simple request sent to can include a response with many IP addresses along with additional information. If a DNS server can amplify requests to a factor of 200 a bad actor with bandwidth of 100Mbps using both amplification and reflection techniques can generate an attack of 200Gbps. Now, can you imagine what happens if there are thousands of reflectors?

Different variations of layer 3, 4 and 7 based attacks were well underway with readily available tools. It became easy and cheap to launch an attack. The major difference between these attack variations is the ability to create a session, for example, a secure sockets layer (SSL) session for the victim with an attempt to cause session exhaustion higher up in the stack. Alternatively, the bad actor may send a flood of internet control message protocol (ICMP) messages without waiting for a reply, making no attempt to take over the session.

Eventually, a combination developed to form a dangerous mix of layer 3, 4 and 7 based attacks. The classical volumetric was often combined with a layer 7 focusing on the application. The volumetric would simply act as a cover for the layer 7 based attack. Application attacks are heaven for bad actors. Each web application represents an infinite number of attack possibilities with so much variation for them to pick and choose from. There are so many tools available out there that can generate random pages attacks along with randomization techniques. Web security companies are on the back foot. They have the capability to scan and detect for hundreds of thousands of vulnerabilities but not for an infinite number of signatures.

Things got a bit more serious when bad actors started to combine the automatic spreading of malware with IoT. We experienced a mega-attack scale and solid networks started to hit the floor. While traditional C&C’s are not very sophisticated, the big brother IoT C&C servers are more dynamic and can control botnets with a number of optimizations that can change every few seconds based on the defense response.

They are heaps more intelligent than the classical C&C’s. The botnets are no longer static. Each botnet now controls its own unit of work representing many small armies working in isolation attacking a single destination.

The rise of artificial intelligence

Today, we are entering into a different wave of DDoS attack. This new era has all the power of IoT-based attacks along with artificial intelligence combined with various feedback loops and automatic optimizations.

Artificial intelligence is constantly optimizing, changing parameters and signatures automatically in response to the defense without any human interaction. It works alone keeping security professionals up all night unless the right precautions are in place.

There are two flavors of AI-based defenses; supervised and unsupervised machine learning. Supervised learning is similar to having a teacher with a predefined curriculum including specific questions and answers. With unsupervised learning, there is no teacher or a narrow curriculum. The curriculum is developing itself based on changing student’s needs.

Supervised learning needs to be fed with examples in order to deal with the situation. After enough examples, it becomes a closed problem. However, this represents a number of drawbacks in the world of AI-based attacks. If you have malware different from the current exampled one, will the system identify and appropriately deal with it? Probably not and this is where false positives start to increase.

Unsupervised learning is superior in the sense that you don’t need to feed the system with examples. This represents a major shift in how you protect against a machine that is constantly changing in response to the defense side. Unsupervised learning has the ability to change and adapt as the problem itself changes. The real issue hitting supervised learning is that traffic patterns are by their very nature, unpredictable. The source and destination IP endpoints may remain unchanged but there can be numerous alterations in the headers and message body. The variations are a major problem for supervised learning.

No one can predict and create examples for all application traffic profiles and potential attack vectors. As a result, we cannot cover the entire space and feed a supervised machine learning system with enough examples to cover every possible angle. If you can’t cover the entire space, then you need a system that can by itself analyze the environment and figure out by itself without human intervention the best possible path of action while still keep false positives to a minimum. A system that can dynamically learn and adapt to known and unknown environments.

Supervised learning can help to a certain extent but in a world that is full of dynamic variables, you really need a system that can adapt to these changes and predict the unknown future that AI-based attacks will bring.

Within the cybersecurity realm attackers are moving fast. Similar to moving from ice to water, yet the ice is not moving, so you need now, not a hammer for the ice but a device that can analyze the water to determine a poison ingredient in disguise. This is why you need to move from supervised to unsupervised learning.


The botnet-making malware employs a suite of anti-detection techniques

A HIGHLY SPOHISTICATED BOTNET is on the hunt for PCs to enslave and use as malware-spreading machines.

The botnet-recruiting malware has been dubbed Mylobot by Deep Instinct security researcher Tom Nipravsky, who discovered the malicious code after it was detected and prevented from causing chaos in one of the company’s client’s live IT environments.

Not only can the malware add an infected machine into a botnet suitable for spreading more malware, launching DDoS attacks, and powering ransomware campaigns, it’s also pretty good at evading detection.

Mylobot has one particularly interesting trait in that it hunts down and terminates instances of other malware and deletes the folders associated with other botnets, such as DorkBot.

“We estimate this rare and unique behaviour is because of money purposes within the Dark web. Attackers compete against each other to have as many ‘zombie computers’ as possible in order to increase their value when proposing services to other attackers, especially when it comes to spreading infrastructures,” explained Nipravsky.

“The more computers – the more money an attacker can make. This is something we’re seeing here as well.”

The sophistication of the malware and the botnet it creates is likely due to it being designed to generate money for hackers and people who lurk on the Dark Web.

Mylobot is also a dab hand at shutting down Windows Defender and Windows Update while locking additional ports on an infected machine’s firewall. It also deletes the ‘%APPDATA% folder, which can trigger a data loss.

But a lot of the damage the malware can cause depends on the payload it has been equipped with. It’s main aim, though, appears to be the complete takeover of a victim’s computer and then its enslavement into a botnet – and depending on what the affected machine is used for, the damage to it can become pretty nasty.

“This can result in loss of tremendous amount of data, the need to shut down computers for recovery purposes, which can lead to disasters in enterprises,” said Nipravsky.

“The fact that the botnet behaves as a gate for additional payloads, puts the enterprise in risk for leak of sensitive data as well, following the risk of keyloggers / banking trojans installations.”

Such sophisticated malware is rare and, despite its smart design, it was still detected by Deep Instinct’s security tech, though it’s worth noting the firm uses deep learning techniques to dig out cyber nasties, something run-of-the-mill anti-virus software doesn’t offer.

 So best be extra vigilant for the time being to what your downloading or what’s lurking behind the processes of your PC.

Axis Communications, one of the largest manufacturers of video surveillance equipment in the world, has fixed critical security flaws that affect some 390 of its network camera models.

The vulnerabilities were found by researchers from IoT security firm VDOO as part of a research project called Vizavis that focuses on safety and security products. The researchers found seven vulnerabilities ranging from authorization bypass to unrestricted dbus access, shell command injection and information leakage.

“Chaining three of the reported vulnerabilities together allows an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera,” the VDOO researchers said in a blog post.

A successful exploit allows hackers to access the camera’s video stream, freeze the video stream, move the camera lens, turn motion detection on and off, add the camera to a botnet, alter the camera’s software and render the device useless.

As with most compromised IoT devices, infected cameras can be used as a pivot point for lateral movement inside local networks or can be used to launch DDoS attacks, mine cryptocurrency, proxy malicious traffic and more.

Because attackers don’t require any credentials to compromise the cameras, those that are exposed directly to the internet, for example through port forwarding rules, are at higher risk of being compromised, Axis said in an advisory.

The company recommends updating the camera firmware to the latest version and isolating the device from the internet, especially since the company provides a free application called AXIS Companion for Windows, Android and iOS that allows accessing the camera video feed securely.

“Optionally apply IP filtering (which uses IP tables internally) in the devices to whitelist authorized clients,” the company said. “This mitigates risk for newly discovered vulnerabilities as well as the risk for compromised passwords.”

Axis also published a document listing all camera models affected by these vulnerabilities along with the corresponding firmware version that contains patches for them. It’s really important for users to update the firmware because VDOO’s blog post contains sufficient technical details and proof-of-concept code for attackers to create exploits.

Malware programs that target embedded devices such as IP cameras, NAS boxes and routers has grown both in number and sophistication over the past few years, IoT botnets being responsible for many of the DDoS attacks seen on the internet.

6-Year-Old Adware Used Signed Rootkit to Fly Under the Radar

A massive adware operation capable of intercepting HTTPS communications in browsers and injecting ads into websites has flown under the radar by using a digitally signed rootkit that blocks anti-malware products from running correctly.

The adware is dubbed Zacinlo and has multiple components, some of them dating back to at least 2012, according to a paper by researchers from Bitdefender. However, the campaign was most active toward the end of 2017.

The vast majority of the detections were in the United States, but samples were also found in France, Germany, Brazil, China, India, Indonesia and the Philippines. Surprisingly, almost 90 percent of detections were on computers running Windows 10, highlighting this malware’s ability to bypass the latest anti-rootkit defenses built into Windows.

The rootkit driver was signed with digital certificates that were expired at the time of discovery but had been issued to entities with names suggesting they were based in China. Once installed on a system, the rootkit searches for anti-malware modules from security products by Bitdefender, Qihoo, Kingsoft, Malwarebytes, Symantec, Panda, HitmaPro, Avast, Avg, Microsoft, Kaspersky, Emsisoft and Zemana, and blocks them from starting.

“The user-mode component that will later download and start the payload is started by the driver so that it leaves very few traces behind: a copy is made in another location and a process is created from the copied file,” the Bitdefender researchers said in their paper. “After the process is started, the copied file is overwritten with zeros. As a result, the user-mode component has no apparent persistence on the system and even its file leaves no forensic evidence.”

The adware program gets installed along with legitimate software and has a lot of functionality implemented by different components. In addition to executing man-in-the-browser attacks, it can disable other adware running on the system, it can receive instructions to uninstall and delete services, it collects information about the system and reports it back to the command-and-control server, it takes screenshots of the desktop compromising the user’s privacy, it can install additional software, it receives automatic updates, it redirects pages in browsers, it injects ads into web pages, it opens pages in the background and interacts with them and more.

The adware is specifically designed for advertising fraud, earning money by tricking advertising companies into thinking that real users viewed and clicked on their ads.


Researcher exploits design flaws in Web caching to take control of popular websites, frameworks – and the Mozilla Firefox browser infrastructure.

A newly discovered attack forces Web cache servers to deliver malicious content to website visitors – and also exposes a major security hole in Mozilla’s Firefox browser infrastructure.

James Kettle, head of research at PortSwigger Web Security, exploited security weaknesses in the design of website infrastructure to hack the Web caches of major sites and platforms: a US government agency, a popular cloud platform provider, a hosting platform provider, a software product, a video game, an investment firm’s investor information, and some online stores.

“It’s sort of a design flaw in the way caching and websites work,” Kettle says of the security issues. “It’s not specific to any given technology or any given cache.”

In his research, Kettle also stumbled on a flaw in an API used in Firefox’s infrastructure that allowed him to take partial control of tens of millions of browsers using his cache-attack method. “I call it a low-fat botnet because I didn’t have complete control over Firefox, but I had a bit of control,” he says.

Kettle is holding back much of the secret sauce of the Web-caching hack as well as his Web targets until his Black Hat USA talk in August. But he does say that with his attack, he can force a cache into behaving in an unsavory way without directly targeting it.

It basically works like this: Kettle sends a request to the website with his payload. “The website then replies with something potentially dangerous … and the cache takes that, so then anyone who visits after that gets hit by the exploit,” he says.

Web caches sit in front of websites and serve up stored content rather than all of the delivery coming via the live website. Kettle says the complexity of those caches and content-delivery networks built around many of today’s Web applications can actually leave them open to abuse.

Previous research in Web cache security has encompassed injecting headers, or tricking the cache into saving and sharing sensitive data, Kettle says. His attack differs because it forces the cache to serve up exploits to website visitors, he notes.

An attacker could use it to plant malware that steals passwords or payment-card information from a website when visitors came to the site. The attack could also be employed to deface a website or redirect a visitor to a malicious site.

Firefox Botnet
With Firefox, Kettle employed his cache-poisoning attack against the infrastructure behind the browser that checks for and sends application and plug-in updates as well as URLs of dangerous websites to block, for example. “I found by accident … that I was able to use cache poisoning to effectively input” some limited commands to Firefox browser users worldwide, he says. “If you opened Firefox, I got control of it.”

Mozilla fixed the flaw within 24 hours of his reporting it, in a Jan. 25 update.

When Firefox starts up, it sends a request to the Mozilla infrastructure for updates and other information. “By using cache poisoning, I could control the response to that message,” Kettle says. That could allow an attacker to install certain extensions and corral Firefox browsers into a botnet to wage distributed denial-of-service (DDoS) attacks, for example.

Kettle says abusing the Firefox flaw alone would be less useful to an attacker than chaining an attack with another exploit and gaining full control of the browsers.

As of this posting, Mozilla had not responded to a request for comment on Kettle’s research.

At Black Hat Kettle plans to release the open-source utility he created for his research, an adapted Burp Suite tool that scans Web infrastructures for cache-poisoning weaknesses, he says.



An Akron man is facing federal charges after he was arrested Thursday morning for allegedly hacking the city of Akron and Akron Police Department websites last year.

According to an FBI spokesperson, 32-year-old James Robinson was charged with knowingly causing the transmission of a program, information, code and command, and intentionally causing damage to a protected computer.

Authorities say Robinson carried out the cyber attacks on Aug. 1, 2017. The distributed denial of service (DDoS) attack overwhelmed both websites and took them down for a period of time.

On the day of the attack, a Twitter user named @AkronPhoenix420 tweeted a link to a YouTube video claiming credit for taking the websites out of service. The tweets included the hashtags #Anonymous and #TangoDown, authorities said.

The video showed a person in a Guy Fawkes mask and the statements “it’s time to teach the law a lesson,” and “Akron PD abuses the law.” The video also stated, “this week the city of Akron experienced system failures on multiple domains including their emergency TCP ports.”

Evidence linked the attack’s point of origin to an internet connection registered to Robinson. Additional evidence showed his phone was associated with the @AkronPhoenix420 Twitter account, police said.

The same Twitter account also claimed responsibility for numerous other DDoS attacks targeted at the Ohio Department of Public Safety, Department of Defense, and others. Police said the characteristics of those attacks had similarities with the one carried out in Akron.

Police executed a search warrant on Robinson’s home on May 9. Inside, they found a Guy Fawkes mask and a cell phone with a cracked screen that was seen in the video. Authorities said Robinson told them he was responsible for the Akron cyber attack as well as the DDoS attacks against the Department of Defense.