DDoS Archive

When two computers wish to communicate, they have to acknowledge that they are ready to communicate, and this process is sort of like talking to a friend by text messages. Say you want to talk to Billy: you send Billy a text message saying you want to talk. Billy gets this message from you, which is good, because he also knows that you-to-Billy communication works — this is sort of a big deal, because you and Billy live in a world where cell phone providers aren’t very reliable.

Billy now has to let you know that you got his message, and that Billy-to-you communication is works, so he replies with another text message, saying “Looks like I can get your messages, and I’m attending my phone now” You get this message, and everything looks cheery, so you send him a last text message saying “I can get yours too. Let’s start talking!” where you and Billy can now carry on a friendly chat.

This is how computers communicate with each other; it’s called handshaking, and it’s used to do two things: acknowledge the desire to communicate with each other, and to make sure the lines of communication are working well. It’s harder to prove the latter, because in the example above, Billy might not have gotten your last text message, and you’d never know, so it would be reassuring if he acknowledged if he got it by sending you another confirmation, before you start wasting a ton of money through sending him a bunch of text messages that he might not even get! Of course, then you’d have to confirm that you got his confirmation, and he’d have to confirm that confirmation, and so forth. As reassuring as it is, we can’t keep doing this indefinitely, and network engineers have had to come up with a solution to this problem, known as The Two Generals’ Problem. In the end, they settled on the protocol as mentioned above.

Now, say you want to chat with Billy, so you send him a text message to see if he’s there. He confirms that he’s there, but the text message gets dropped because of a bad cell phone tower. Now both of you are stuck at a stalemate; you’re waiting for his confirmation, and he’s waiting for yours. This is a bad situation! So, in order to avoid this, Billy tries to resend his reply after a certain amount of time, after not hearing from you, because he doesn’t know whether it’s your cell phone tower that’s bad, or his. And, after he still doesn’t get a reply from you, he gives up, and determines that the cell phone towers are conspiring against your friendship.

A Denial-of-Service takes advantage of this protocol, to allow you to, well, troll Billy. How it works is as concisely explained in the comic strip — you send Billy a message saying you want to talk, and he sends you a message back saying that he’s ready to talk, but you “pretend” like you never got his message, keeping him busy for a few minutes until he gives up. Then you poke him again, saying you want to talk again, and pretending like you just can’t hear him, and he’ll always put in a full effort to try to start a conversation with you. This causes Billy a lot of aggravation, especially if you get a lot of people to do this to Billy! Eventually, he won’t be able to keep sending all these confirmations to all the people that he thinks genuinely want to talk to him, and he spends every waking minute replying to these phony text messages, leaving him no time to start conversations with people who actually want to talk to him. Thus, you’re denying anyone who wants to actually talk to Billy the service of Billy’s conversation.

Miscellaneous Facts: The “text messages” that computers send to each other are called packets. It’s exactly like what it sounds like — a small parcel of information, wrapped nicely with a stamped address, date, return address, and all the good stuff.

The initial packet in the handshaking protocol is called a SYN packet, short for synchronize. The receiving computer sends back an ACK packet, short for acknowledge, as well as another SYN packet. The original conversation-starter replies to the SYN packet with a final ACK, and then conversation can begin. The computer who sends both the SYN and the ACK at the same time sends a combined packet, usually referred to as SYN/ACK. This makes the protocol a three-packet protocol: SYN, SYN/ACK, then lastly, ACK.

Source: http://pbjbreaktime.com/2011/01/what-is-ddos-denial-of-service-attack-explained-in-laymens-terms/


News of the recent LinkedIn security breach that compromised 6.4 million user accounts must have sent shivers down the spines of users who heavily make use of the website. While LinkedIn has since reset its systems, it could take days to complete investigations into how security was breached on the site that helps matchmake potential employers with employees.

According to a Reuters report, at least two security experts who examined the files, believed to contain the stolen LinkedIn passwords, said the company had failed to use best practices for protecting the data.

They claimed that LinkedIn used a basic method for encrypting passwords, which allows hackers to quickly unscramble all passwords after they figure out the formula by which any single password has been encrypted.

However, Mark Smith, managing director, Asia, Savvis, asserts that no system is completely foolproof. “Security breaches can happen and no system is 100 per cent secure,” he says. Savvis is a company that helps build cloud infrastructure and host IT solutions for enterprises. Mr Smith believes that effective communication to customers after a security breach still remains a challenge.

He points out that putting together a formal communication process can reduce fear among the public and increase their confidence in the company and he applauded LinkedIn’s swift action in providing members with an update that answered some frequently asked questions and letting them know what they could do to protect their information.

Turning to the industry, Mr Smith observes that there is a constant and growing threat of viruses, worms, spyware, and denial-of-service attacks that can corrupt, steal, or even destroy critical corporate information. These attacks have become widespread and complex and many businesses find it challenging to prevent zero-day attacks.

Network security comes down to the tiers of security that are applied to the business. “Service providers should layer security services to protect against breaches. This means they can expand security coverage accordingly, as businesses grow,” he explains.

One of the fastest growing threats today is a Distributed Denial-of-Service (DDoS) attack. In many cases, a DDoS attack could be caused by hundreds, or thousands, of compromised computers controlled by a single perpetrator.

During an attack, the perpetrator instructs these infected computers to “flood” a business site with requests, rendering it incapable of functioning properly. This ultimately brings the site down and causes financial losses, for instance, in the case of bank websites.

A common security breach usually occurs from within the organisation, sometimes due to human error, or to malicious employees. Mr Smith notes that a wrong configuration of applications is another cause of security breaches.

Employees handling company security may be trained in general security, but are not specialised in specific aspects of security, leading to human error.

“Many companies whose core business is not deploying security end up deploying security and this increases the probability of a potential security breach,” he explains.

Malicious damage could also result in security breaches. Many companies find it difficult to control internal access.

Mr Smith says: “We regularly see news articles about service failures and anonymous taking down of websites like government services and some of the biggest brands in the world. DDoS mitigation, layering security levels, and outsourcing infrastructure to experts can help provide against such incidents.”

Source: http://business.asiaone.com/Business/SME%2BCentral/Tete-A-Tech/Story/A1Story20120618-353593.html

If modern technology is a universal language, today our world is getting schooled in innovation. Mobile devices have become an integral part of our lives. We game on them, surf on them, bank on them, and now there is the growing opportunity to buy things on them. The new era of mobile payments will likely mean that your phone never leaves your hand. Point of Sale (POS systems) set up with Near Field Communications (NFC) or the ability for a cashier to scan your phone with a QR card reader. This means that you should never hand your device over to anybody. Yet, research says that people have security fears, and these concerns are valid.

When we talk about mobile payments we usually get the same reaction from people: excitement and anxiety. We as human beings love convenience and gadgets that make everyday life easier. That said, we’re risk averse when it comes to our money.

With more sensitive data being held on smartphones, new security threats have emerged. Mobile users list remote access by hackers, interception of calls or data, device theft, or loss and the installation of malware and viruses, among their greatest concerns. Many of the threats that originated online are also moving to the mobile environment, including Distributed Denial of Service (DDoS) attacks, crimeware botnets, and “hactivist” groups such as Anonymous.

To reduce these inherent risks, organizations must look to adopt a mobility security strategy that addresses the mobile threat landscape.

Given the fact that in the near future mobile payments will enjoy rapid uptake, mobile network operators and financial institutions are challenged to provide a service that transmits payments quickly and reliably. Merchants are also looking to adopt mobile payments on a larger scale. While doing so, they are looking for industry expertise and guidance.

The PCI Security Standards Council issued a new document this month that explains its views on mobile payment security, and provides guidelines for how merchants can securely accept payments using mobile devices such as smartphones or tablets. Mobile payment security isn’t a one-size-fits-all challenge, however it is important to craft the mobility security strategy while delving deep into the world of mobile payments.

I was reading Abhi’s post on foiling the modern day Bonnie and Clyde and as he points out, the threats aren’t limited to computers. Our always-on mobile devices are ripening into a juicy opportunity for cybercriminals as we perform more transactions on the go.

Information security is not a “check the box” compliance exercise. No single solution can inoculate a network from attack, and protecting information is not solely IT’s responsibility. Instead, the new integrated security approach is predictive and organization-wide. It proactively protects while anticipating the worst. It embraces rather than bans. It focuses on trust, not paranoia.

By rethinking your information security strategy and using an integrated security approach, your organization can manage the right risks and drive value in the era of mobility.

Source: http://networkingexchangeblog.att.com/enterprise-business/mobile-payments-bring-new-opportunities-and-new-threats/

South Korean police arrested a man from Seoul last week, on suspicion of working with North Korea to develop games infected with spyware.

According to a news report in the Korea JoongAng Daily, the 39-year-old game distributor was arrested on June 3 and charged with violating the National Security Law.

The law is North Korea-specific. Passed as the National Security Act in 1948, it outlawed:

recognition of North Korea as a political entity;
organizations advocating the overthrow of the government;
the printing, distributing, and ownership of “anti-government” material;
and any failure to report such violations by others.

The man was identified only by his family name, which news outlets render as either Cho or Jo.

Police claim that Cho met with North Korean spies who had set up a hacking base disguised as a trading firm in the Northeastern Chinese city of Shenyang.

The North Korean spies were allegedly associated with the country’s Reconnaissance General Bureau.

According to the Federation of American Scientists, this department ferrets out strategic, operational, and tactical intelligence for the Ministry of the People’s Armed Forces and plants spies in South Korea, either via boat or though tunnels under the demilitarized zone.

The Seoul Metropolitan Police said that Cho paid the spies tens of millions of won to develop the illegal game software.

Ten million won is equal to US $8520 or £5514.

The police allege that Cho turned to the reconnaissance unit to develop the games at this cheap price and knew they were infected.

According to Geek.com, the cost of the infected games was about one-third of a typical price.

Cho is also accused of setting up a server in South Korea that the North Koreans used in attempts to launch DDoS attacks at South Korean networks.

According to Geek.com, one such recent DDoS attack was launched against South Korea’s Incheon International Airport. Airport departures were disrupted multiple times in the spring of 2011 as a result.

The attack used a botnet of zombified computers that had been infected after their owners downloaded the Trojans by playing the poisoned games.

Beyond turning players’ computers into zombies, authorities also believe that Cho may have passed along personal information about more than 100,000 registered users to the North Koreans.

The police said Cho retained the personal information of hundreds of thousands of South Koreans, having collected the data from major portals.

This isn’t the first time North Korea has been implicated in cyberwarfare against South Korea.

There have long been claims that North Korea is operating a cyberwarfare unit (presumably being countered by the one alleged to exist in South Korea), and in 2008 it was reported that South Korea’s military command and control centre were the target of a spyware attack from North Korea’s electronic warfare division.

The sexy female seductress at the centre of that case, who was accused of seducing army officers in exchange for military secrets, was subsequently jailed for five years.

In 2009, a massive DDoS attack crippled 26 South Korean and foreign governmental websites, including military sites.

This spring, between April 28 and May 13, North Korea’s Reconnaissance General Bureau also managed to devastate GPS signals throughout the Korean peninsula.

The Reconnaissance General Bureau’s cultivation of cyber warriors is now at such an advanced state, in fact, that a South Korean expert recently claimed that North Korea’s abilities to wage a devastating cyber war are behind only those of the US and Russia.

Source: http://nakedsecurity.sophos.com/2012/06/11/north-korea-uses-infected-games-to-ddos-south-korea/

Researchers at network security vendor Arbor Networks are warning of an increasingly strengthening tool being used by cybercriminals to conduct powerful distributed denial-of-service attacks (DDoS).

The tool, called MP-DDoser or IP-Killer, was first detected in December 2011 and, according to Jeff Edwards, a research analyst at Chemlsford, Mass.-based Arbor Networks Inc., the tool’s authors are making progress in eliminating flaws and adding improvements.   The active development is boosting the tool’s attack capabilities and advancing its encryption algorithm to protect its botnet communications mechanism. Arbor released a report analyzing MP-DDoser’s (.pdf) capabilities and improvements.

“The key management is quite good, and the buggy DDoS attacks are not only fixed, but now include at least one technique … that may be considered reasonably cutting edge,” wrote Edwards, a member of Arbor’s security engineering and response team, in a blog entry Thursday.

Edwards said the “Apache Killer” technique, which can be deployed by the tool, is designed to flood requests to Apache Web servers, overwhelming the memory and ultimately causing it to crash. The technique is considered low-bandwidth, making it difficult to filter out the bad requests. A less successful form of the attack was used by a previous botnet, Edwards said, but the MP-DDoser authors appear to have incorporated it with some improvements.

“A review of the [IP-Killer] bot’s assembly code indicates that it does indeed appear to be a fully functional, working implementation of the Apache Killer attack,” Edwards wrote. “It is therefore one of the more effective low-bandwidth, ‘asymmetrical’ HTTP attacks at the moment.”

Asymmetric DDoS attacks typically use less-powerful packets to consume resources or alter network components, according to the United States Computer Emergency Readiness Team (US-CERT). Attacks are meant to overwhelm the CPU and system memory of a network device, according to US-CERT.

The steady increase and easily obtainable automated DDoS attack tools have put the attack technique in the hands of less-savvy cybercriminals. Arbor Networks’ Worldwide Infrastructure Report 2012 detailed a steady increase in powerful attacks over the last five years. The report, which surveyed 114 service providers, found that lower-bandwidth sophisticated attacks like MP-DDoser are becoming alarming.

MP-DDoser, IP-Killer botnet communications improvements
The MP-DDoser botnet does not spread spam or malware, making it more effective at conducting DDoS campaigns, according to Edwards.

The authors of MP-DDoser are also employing encryption and key management as part of network communications, Edwards said. Encrypting communications is becoming more common in malware to make it more difficult for investigators to trace the transmissions between the bot and the command-and-control server. Edwards called the MP-DDoser author’s use of encryption a “home brew” algorithm, making decryption even more difficult for researchers.

“All in all, MP-DDoser uses some of the better key management we have seen. But of course, at the end of the day, every bot has to contain – or be able to generate – its own key string in order to communicate with its C&C, so no matter how many layers of encryption our adversary piles on, they can always be peeled off one by one,” Edwards wrote.

Source: http://searchsecurity.techtarget.com/news/2240153127/Arbor-Networks-warns-of-IP-Killer-MP-DDoser-DDoS-tool