DDoS Archive

The first event of the 2014 Swedish Masters, the online poker series run by Sweden’s state-owned monopoly company Svenska Spel, did not go as expected, as a distributed denial-of-service (DDoS) attack obliged the room to cancel the event and refund all the players.

Initially scheduled to take place on Sunday, Nov. 2, the tournament ended up without a winner, but with 1,451 players being refunded for their tournament buy-ins.

“We have had a number of DDoS attacks last week, that went on into the evening,” a spokesperson from Svenska Spel told Sweden’s leading daily Aftonbladet. “At first, we paused the tournament, but then we noticed that the attack started again, so we decided to cancel it.”

Planned to offer Svenka Spel’s players a good number of tournaments throughout the whole month of Nov., the 2014 Swedish Masters is now considered to be a series “at risk” per the room’s own admission, and it is possible that similar attacks will influence the regular play of the other events in the schedule.

The DDoS attacks came in a delicate time period for Svenska Spel, as Sweden’s only licensed company has recently suffered for some significant revenue losses.

As reported by PokerNews on Monday, the company recorded 2.1 billion Swedish krona ($284 million) in 2014 third-quarter revenue, representing a 10.9-percent decline from the 2.4 billion Swedish krona ($325 million) in the same period in 2013. At the same time, 2014 year-to-date operating profit has declined nine percent from 3.8 billion Swedish krona ($514 million) in 2013 to 3.5 billion Swedish krona ($473 million) in 2014.

The negative trend, however, did not come as a surprise for the board of the company, as its CEO Lennart Käll explained that the numbers were “according to the company’s plan.”

According to Käll, the decline is due to the fact that “in recent years, the Swedish gambling market has evolved in the wrong direction,” and that Svenska Spel’s has decided to engage in a more socially responsible promotion of gambling and adopted a series of measures that have limited its visibility compared to the past years.

Source: http://www.pokernews.com/news/2014/11/svenska-spel-swedis.masters-ddos-attack-19727.htm

Guy Fawkes: famous for a plot to assassinate England’s King James in 1604 and for guarding copious amounts of gunpowder, is remembered every Nov. 5 in Britain with fireworks and bonfires. Researchers say that businesses should brace themselves for a different kind of plot: an influx of distributed denial of service (DDoS) attacks from hacktivist group Anonymous on Wednesday.

“The forecast for the future looks dark, as we expect to see many DDoS attacks during Guy Fawkes Day on November 5, as the Anonymous collective has already announced various activities under the Operation Remember campaign,” said Candid Wueest, threat researcher at Symantec, in a blog. “However, hacktivists protesting for their ideological beliefs are not the only ones using DDoS attacks. We have also seen cases of extortion where targets have been financially blackmailed, as well as some targeted attacks using DDoS as a diversion to distract the local CERT team while the real attack was being carried out.”

DDoS attacks have grown in intensity as well as in number in the last two years, although the duration of an attack is often down to just a few hours. Amplification attacks especially are very popular at the moment as they allow relatively small botnets to take out large targets with amplification factors of up to 500. For such an attack, spoofed traffic is sent to a third-party service, which will reflect the answer to the spoofed target.

“Such attacks are simple to conduct for the attackers, but they can be devastating for the targeted companies,” said Wueest.

From January to August 2014, Symantec has seen a 183% increase in DNS amplification attacks, making it the most popular method seen by Symantec’s Global Intelligence Network. Multiple methods are often used by attackers in order to make mitigation difficult and, to make matters worse, DDoS attack services can be hired for less than $10 on underground forums.

“It is the distribution of hosts that attracts attackers — such as the group Anonymous — as it provides multiple advantages; undetectable location, multiple machines and identity anonymity,” said Alex Raistrick, director cybersecurity solutions at Palo Alto Networks. And all of that “which makes DDoS attacks an appealing instrument for destruction on Guy Fawkes Day,” he added.

As far as mitigation, Raistrick noted that some attacks simply exploit vulnerabilities that subsequently crash or severely destabilize the system so that it can’t be accessed or used.

“Segmentation helps to block attacks trying to spread from one area of the network to another,” he said. “Next-generation firewall will also directly contribute to a stronger overall security platform, starting with the endpoint and detecting attacks there as well as detecting when threats are attempting lateral moves within networks.”

He added, “Essentially, make your estate difficult and expensive to breach — and the bad actors will go elsewhere.”

Source: http://www.infosecurity-magazine.com/news/ddos-explosion-imminent-for-guy/

Hacking attacks against organisations promoting democracy in Hong Kong were run using the same infrastructure previously linked to Chinese cyber-espionage attacks, according to new research from security firm FireEye.

Sites promoting the Occupy Central Pro Democracy movement, including Next Media’s Apple Daily publication and the HKGolden forum, have been hit by DDoS attacks.

The assaults against Next Media’s Apple Daily “brought down its email system for hours” as well as affecting its website.

The use of DDoS attacks as a political tool during times of conflict is not new; patriotic hacktivist groups frequently use them as a means to stifle rival political groups. The apparent objective of these DDoS attacks is to silence free speech and suppress the pro-democracy movement in Hong Kong. The Chinese government is therefore an obvious suspect.

In the case of Hong Kong, FireEye discovered “an overlap in the tools and infrastructure used by China-based advanced persistent threat (APT) actors and the DDoS attack activity” against the Hong Kong protest movement.

FireEye reports that DDoS attacks against the Pro-Democracy Movement using the KernelBot network. Samples of malware powering these attacks are signed with digital certificates linked to previously observed APT activity, including Operation Poisoned Hurricane, according to FireEye.

FireEye has identified a number of binaries coded to receive instructions from a set of command and control (C2) servers instructing participating bots to attack Next Media-owned websites and the HKGolden forum. Next Media is a large media company in Hong Kong and the HkGolden forum has been used as a platform to organise pro-democracy protests. Each sample we identified is signed with digital certificates that have also been used by APT actors to sign binaries in previous intrusion operations: These binaries are W32 Cabinet self-extracting files that drop a variant of an older DDoS tool known as KernelBot.

The QTI International and CallTogether code signing certificates, previously seen in malware attributed to APT activity, have cropped up in malicious code used in other attacks targeting the pro-democracy movement in Hong Kong. For example, malicious JavaScript inserted into the Hong Kong Association for Democracy and People’s Livelihood website featured the QTI certificate.

More recently, as noted by security researcher Claudio Guarnieri, the website of the Democratic Party of Hong Kong hosted a redirect to the same malicious JavaScript.

All this tool and infrastructure sharing points to links between pro-Beijing hacktivists and state-sponsored groups focused on IP theft and cyber-espionage. It’s evidence of collusion but far from definitive, according to FireEye.

“The evidence presented above shows a link between confirmed APT activity and ongoing DDoS attacks that appear to be designed to silence the Pro Democracy movement in Hong Kong,” FireEye concludes in a blog post. “The evidence does not conclusively prove that the same actors responsible for the DDoS attacks are also behind the observed intrusion activity discussed above – such as Operation Poisoned Hurricane. Rather, the evidence may indicate that a common quartermaster supports both the DDoS attacks and ongoing intrusion activity.”

It almost goes without saying but the hkgolden,com, nextmedia.com, and appledaily.com.hk websites are blocked by the Great Firewall of China – indicating that authorities in Beijing have found the content hosted on these sites objectionable.

Other security researchers have noted that Hong Kong protesters have been infected by iOS and Android spyware. Lacoon Mobile Security spotted the Xsser mRAT spyware being slung around while posing an Occupy Central coordination app.

Pro-democracy protests in Hong Kong began in September and have continued to escalate since. ®

Source: http://www.theregister.co.uk/2014/11/03/hong_kong_hacking_chinese_cyber_spy_link/

As cyber-criminals innovate and develop new techniques to tackle defensive methods, it has never been more important for information security professionals to have strong, proactive defense and remediation strategies in place. During this webinar, the speakers will share insight on how to address the risks and respond to attacks.

Hear about the evolution of and motivations behind DDoS attacks and the attack vectors exploited

  • Discover how to implement multi-layered DDoS defense
  • Identify best practice detection and classification techniques
  • Discover how to implement resilient DDoS incident response practices

Date: November 12th 2014
Time: 10:00AM EST/15:00 GMT

Click here to register !

As the Director of Sales for DOSarrest Internet Security I have the opportunity to speak with many prospects looking for DDoS protection service for their corporate website.

What I have learned is that there are many competitors offering what I would call a “bare bones vanilla offering”.

Some offer free service to service ranging in price from $200 – $300/month. These plans offer a very basic protection. They also advertise an Enterprise offering that has an expense starting point can really turn into being quite costly depending on your circumstances.

The Enterprise service is the offering that any company that is serious about protecting their website should consider. There are a few issues with each of these offerings that I’d like to point out.

These competitors claim they have a very large number of clients utilizing their services but fail to mention that 80-85% of them are using their free service. Roughly 10 -15% of their customers are using their $200-$300/month service which again is really just a basic protection with limited protection capabilities.

When a company witnesses a large attack, which is completely out of their control, they are told they should upgrade to their enterprise offering. I hear from prospects quite often that this $200 – $300/month service does not offer adequate protection nor customer support.

In most cases there is no phone support included at all! Also they will charge the client based on the size of the attack? How can a client control the size of an attack they are experiencing! This uncertainty makes it virtually impossible for a company to budget costs. Let’s not be mistaken, their goal is to get you onto their Enterprise offering which will cost you in excess of a thousand dollars per month.

Alternately at DOSarrest Internet Security we offer a single Enterprise level service for all of our clients.

The service includes full telephone and email access to our 24/7 support team with our service. This provides you direct access to system experts. We do not operate a tiered support service given the criticality of the service.

Also we protect our clients from all DDoS attacks regardless of size without the need to pay us additional depending on the size of an attack.

We also include an external monitoring account with our service called DEMS which stands for our DOSarrest External Monitoring Service. This allows our 24/7 support team to monitor your website from 8 sensors in 4 geographical regions.

We proactively inform our clients if we notice any issues with their website. Most of our competitors do not offer this service and if they do it is not included free of charge to their clients.

DOSarrest has been providing DDoS protection services since 2007. Globally we were one of the very first DDoS protection providers and have successfully mitigated thousands of real world attacks. This is a not an “add on product” for us. Our team has the experience and the protection of a client’s website is our #1 priority. Please visit our newly revamped website and take a look at the testimonials page to see what some of our current customers are saying about their experience with us.

Please feel free to reach out to me directly or anyone on our sales team at sales@dosarrest.com for further information on our service.

Brian Mohammed

Director of Sales for DOSarrest Internet Security LTD.