DDoS Archive

The al Qassam Cyber Fighters resumed prolonged attacks against banks and hit more institutions simultaneously, with the longevity of the attacks fueling speculation that the attackers are well-funded.

Alleged hacktivists again launched denial-of-service attacks against major U.S. banks last week, causing some disruption at a handful of financial institutions.

While the group behind the attacks continue to pose as hacktivists, the longevity of the campaign—now entering its sixth month—has some security experts arguing that the attacks are a well-funded operation.

On March 5, al Qassam Cyber Fighters (QCF) launched their latest attacks against banks, posting a message on Pastebin stating that nine banks would be targeted by denial-of-service attacks during the week. Unlike previous network floods, the current attacks have simultaneously inundated a handful of banks with a deluge of traffic consuming bandwidths from 10G bits up to 40G bits, said Carlos Morales, vice president of global sales engineering and operations for network-protection firm Arbor Networks.

“They clearly have gotten more sophisticated over time,” Morales said. “They are doing their homework. A lot of the banks have reported that they seeing probing and smaller attacks before the larger attacks, so the attackers are taking into account what the banks are serving up and customizing the attacks to take advantage of the banks’ defenses.”

The QCF attacks started in September 2012, targeting banks allegedly in retaliation for the posting of a video to YouTube that offended many Muslims. U.S. officials believe that Iran is carrying out or funding the attacks, according to a January report in The New York Times. The servers used in the attacks have also been used for criminal purposes, suggesting that the attackers are using criminal activities to fund the attacks or hiring time on criminal botnets to boost their capabilities.

The current attacks have targeted Bank of America, BB&T, CapitalOne, Citibank, Fifth Third Bancorp, JPMorgan Chase, PNC, UnionBank, and U.S. Bank, according to the QCF post.

The attacks are meant to be a nuisance to banks and cost them money, not take them offline, Arbor’s Morales said.

“This whole thing strikes me as a huge amount of saber rattling,” he said. “This is not about taking down the financials. If that was the case, they would not announce it.”

Defending against distributed denial-of-service (DDoS) attacks is not cheap. In a report released on March 12, managed-security firm Solutionary estimated that organizations spend as much as $6,500 an hour to recover from DDoS attacks—a number which does not include any lost revenue due to downtime.

The incidents do not seem like the work of hacktivists, who, in the past, attacked a company or site only long enough to gain attention and then moved on. The focus of the QCF group on repeatedly hitting the same targets for many months suggests other motivations, said Morales.

In its “State of the Internet” report for the third quarter of 2012, Internet security and content-delivery platform Akamai came to the same conclusion.

“While the attackers claimed to be hacktivists protesting a movie, the attack traffic seen by Akamai is inconsistent with this claim,” the company stated in the report. “The amount of attack traffic that was seen during these attacks was roughly 60 times larger than the greatest amount of traffic that Akamai had previously seen from other activist-related attacks. Additionally, this attack traffic was much more homogenous than we had experienced before, having a uniformity that was inconsistent with previous hacktivist attacks.”

For DDoS protection against your eCommerce site click here.

Source: http://www.eweek.com/security/hacktivists-expand-bank-ddos-attacks-as-security-pros-monitor-source/

The resumption this week of distributed denial of service attacks against major U.S. banks brought not only more cost and disruption to financial institutions trying keep online services available, but it also raised new questions about the funding and true motives behind the attacks.

A number of service disruptions were reported this week as Izz ad-Din al-Qassam Cyber Fighters lived up to their promise on Pastebin to kick off a third round of DDoS attacks in protest of the continued availability of the movie “Innocence of Muslims” on YouTube. These attacks, however, are much different than the one-and-done types of DDoS attacks preferred by other socially and politically motivated groups.

Banks are no stranger to DDoS attacks, but since September, these attacks in particular have been noteworthy for the amount of traffic generated toward the banks, as well as for their targeting of applications and specific features available on the banking sites, the steady growth in the number of web servers used in the attacks, and the automated tools being used. Add it all up and it equals some hefty funding and know-how, either hackers bred in-house, or contracted from the outside.

“There’s no doubt in my mind that this is well funded at some level,” said Arbor Networks director of security research Dan Holden. “There’s no way this can go on for this long and with this type of investment without someone caring. Historically, if you look at hacktivism, it’s been driven by some sort of incident and usually they can’t drive an operation for this long. Usually they just lose interest.”

Attribution is always challenging in any kind of attack and it’s premature to call these attacks state-sponsored, but there has been skepticism from the outset about this particular campaign. Dmitri Alperovich, cofounder and CTO of security company CrowdStrike, told Threatpost in September the protestations over the movie were a red herring.

“I don’t buy that their motivation is in response to the video; this group has been carrying out attacks for months,” he said. “Their motivation is to send a message that this is what they’re capable of.” Alperovich said the group’s name is the same as the military wing of Hamas and it claims to have a Jihadist cause, he said. “If a terrorist group is interested in sending a message to us, this is one way of doing so. It’s relatively inexpensive and powerful message.”

The group behind these attacks has evolved its capabilities and is using a number of automated toolkits, including Brobot and itsoknoproblembro to carry out not only high-volume attacks of upwards of 70-100 GBps, but they’re able to do so against simultaneous targets. And this is more than just pinging a banking site with hundreds of thousands of synflood calls; the attacks are also application centric. In some cases, they’re going after application log-ins or trying to continuously download large files such as user agreements, policy statements and more.

The attackers are also using compromised web servers to fire off these requests, and according to experts, seem to be using simple Google searches to find vulnerable servers with PHP vulnerabilities or other flaws that are easily exploitable. Web servers have a lot more bandwidth than a compromised home machine, for example, thousands of which make up traditional botnets used in DDoS campaigns. Owning a web server, very much an old-school method of DDoS attacks against targets, is much more efficient for the attacker than waiting for clients to become infected with a Java exploit and malware, for example.

“The average home user has 10 MBps capabilities with broadband, with an upload speed of 1.5 MBps. To use that as a tool to attack the banks, to get 70 GBps, I would need 70,000 users,” said Barry Shteiman, senior security strategist at Imperva. “Web servers by designed are supposed to serve a large amount of users with half or 1 GBps of upload speed. I would need only 70 to 150 servers to get the same result.”

Taking this approach, Shteiman said, keeps costs down for an attacker. Using a Google search can render a long list of vulnerable web servers that are easy to find and difficult to patch. This is much simpler than writing or buying an exploit that bypasses a lot of client-side protections.

“If I know it’s going to take a lot of effort and money and bypass protections on user platforms, I need to find the best vector,” Shteiman said. “On websites, a lot of vulnerabilities are far less patched; we know most organizations are not covering Web threats.”

The banks, meanwhile, are defending well against these attacks, experts said, though they too have to spend more and evolve as attacks do.

“The attackers’ focus on a particular site is increasing because the banks’ defenses are so good at this point,” Arbor’s Holden said. “DDoS is not a set-and-forget type of defense. Because these attacks are so targeted a lot of people are no doubt still involved in defending against them; a lot of folks are not sleeping right now.”

Holden said he’s not surprised given the presumed funding, that the attacks and capabilities have grown.

“They have to in order to keep the campaign growing,” he said. “I expect to see further tool development, possibly targeted tools depending on how a bank website is built and structured. They’re learning about defenses for each particular site. Based on what they learned and what’s working, they are able to create tools with a particular site in mind.”

Source: http://threatpost.com/en_us/blogs/size-funding-bank-ddos-attacks-grow-third-phase-030813

JEA’s website has been hit by a “denial of service attack,” knocking out the company’s website and payment system.

The Jacksonville-based utility told our news partner Action News Jax that jea.com is being “inundated with data,” starting overnight Sunday.

As of 2:15 p.m. Tuesday, the site was still down.

The problem is a “corporate internet connectivity event,” JEA said, and is impacting payments through its automatic phone system.

Payments made through third parties, such as Winn-Dixie and the tax collector, are being processed. Payments are still being taken at JEA’s Downtown office and requests for stop/start and reconnect orders are working as well.

There is no timeline for a fix, Action News Jax reports.

Attacks on large company’s websites and servers has been frequent in recent months. SunTrust was hit by a cyber attack in October 2012 and Bank of America, Chase and Citi were attacked by Iranian hackers the month before.

The attacks led to several of the major banks to ask the government for help to block the Iranian attacks.

JEA is the seventh-largest community-owned electric utility in the United States and one of the largest water and sewer utilities in the nation providing electric, water and sewer service to residents and businesses in northeast Florida.

Source: http://www.bizjournals.com/jacksonville/news/2013/02/19/jea-website-under-attack.html

Cloud providers face increasing number of DDoS attacks, as private data centers already deal with today

The eighth annual Worldwide Infrastructure Security Report, from security provider Arbor Networks, reveals how both cloud service providers and traditional data centers are under attack. The report examined a 12-month period and asked 200 security-based questions of 130 enterprise and network operations professionals. The key findings follow:

  • 94 percent of data center managers reported some type of security attacks
  • 76 percent had to deal with distributed denial-of-service (DDoS) attacks on their customers
  • 43 percent had partial or total infrastructure outages due to DDoS
  • 14 percent had to deal with attacks targeting a cloud service

The report concluded that cloud services are very tempting for DDoS attackers, who now focus mainly on private data centers. It’s safe to assume that, as more cloud services come into use, DDoS attacks on them will become more commonplace.

Arbor Networks is not the only company that cites the rise of DDoS attacks on cloud computing. Stratsec, in a report published last year, stated that some cloud providers are being infiltrated in botnet-style attacks.

This should not surprise anyone. In my days as CTO and CEO of cloud providers, these kinds of attacks were commonplace. Indeed, it became a game of whack-a-mole to keep them at bay, which was also the case at other cloud providers that suffered daily attacks.

The bitter reality is that for cloud computing to be useful, it has to be exposed on public networks. Moreover, cloud services’ presence is advertised and the interfaces well-defined. You can count on unauthorized parties to access those services, with ensuing shenanigans.

The only defense is to use automated tools to spot and defend the core cloud services from such attacks. Over time, the approaches and tools will become better, hopefully to a point where the attacks are more of a nuisance than a threat.

The larger cloud providers, such as Amazon Web Services, Hewlett-Packard, Microsoft, and Rackspace, already have good practices and technology in place to lower the risk that these attacks will hinder customer production. However, the smaller cloud providers may not have the resources to mount a suitable defense. Unfortunately, I suspect they will make them the primary targets.

Source: http://www.infoworld.com/d/cloud-computing/cloud-use-grows-so-will-rate-of-ddos-attacks-211876

As the threat landscape continues to evolve, one malicious tactic has stood the test of time: distributed denial-of-service attacks (DDoS). They carry on as a preferred means of assault on networks around the world, and they’re getting more prevalent and sophisticated.

According to a recent report from Prolexic, a security firm that specializes in DDoS protection, there was an 88 percent increase in the total number of DDoS attacks in the third quarter of this year compared to the same period last year.

The common method associated with this threat involves an attacker pummeling a target with illegitimate traffic through the use of botnets – to the point where its online services are unavailable. While it may seem like a mere nuisance, an attack of this nature is detrimental to any enterprise that relies on a majority of its revenue to be generated online.

The recent attacks that downed the websites of major financial institutions, such as Bank of America and JP Morgan Chase, have proved that DDoS is evolving. Rather than opting for a botnet’s army of zombie computers, the perpetrators leveraged a slew of compromised servers to launch their attacks, which flooded networks with up to 60 gigabits per second of traffic coming from each infected server.

A DDoS service toolkit known as “itsoknoproblembro” was believed to be the weapon behind the financial assaults. Capable of attacking several layers of a website’s networking stack, according to Prolexic, any mitigation provider would struggle dealing with this type of strike.

And, the prevalence and advancements of these malicious DDoS methods may be bolstered by the overall decrease in spam. As spam filters have gotten better, botnet masters have found that DDoS attacks are a worthy replacement to ensure they continue to see a high return on investment, said Matthew Prince, CEO and founder of CloudFlare, a web performance and security firm.

Motives surrounding DDoS attacks vary, from cyber warfare to hacktivism, but the one constant is that their maturation is what makes them difficult to defend against, said Dan Holden, director of Arbor Network’s Security Engineering and Response Team. And further complicating matters is that whether they are using a service provider or a hybrid cloud partner, many enterprises simply don’t own or have full visibility into their own network. “Fundamentally the internet is just a different place,” Holden said.

For DDoS protection against your eCommerce site click here.

Source: http://www.scmagazine.com/2-minutes-on-the-advancement-of-ddos/article/268633/