Defend Against DDoS Archive

The San Diego County Registrar of Voters’ website went out of service on election night because a firewall recognized an attempt to attack the site, officials said today, adding that an investigation was being conducted.

Sdvote.com went down soon after initial results were posted after 8 p.m. Tuesday, and the site remained inoperative for about two hours. Access to the site was also spotty after midnight.

Residents and local politicos use the site to track results. The county also uses its information technology to send a direct feed of results to news media, but that feed was not interrupted.

According to a county statement, sdvote.com began receiving well over 1 million hits per minute from a single Internet protocol address around 8:15 p.m., so a firewall that recognized suspicious activity shut down outside access to county websites.

Investigators said they believe the “denial of service” attack was launched against the site to prevent legitimate users from obtaining information.

It was unknown if the attack was meant to disrupt the election itself, according to the county.

IT vendor Hewlett Packard ruled out any hardware or software issues, and there was plenty of capacity for the number of users who tried to use sdvote.com, according to the county.

County officials said they were working with a security team and Hewlett Packard to find who or what was responsible for the attack, and reviewing ways to keep such an event from taking down the site in the future.

Source: http://www.kpbs.org/news/2012/jun/07/county-says-its-voting-results-website-was-hacked-/

By Brian Bloom, ComputerWorld Canada

May 29, 2012, 8:53 PM — Depending on how unscrupulous your business practices are, a denial-of-service attack can give you a competitive advantage. From keeping competitors offline to engaging in outright extortion, there are organizations (some more obviously criminal than others) now using DDoS attacks to make big money.

For those on the receiving end, DDoS attacks are expensive. If you want to avoid losing a lot of money, it pays to be insured. And it’s better to get your protection from the good guys.

Corero Network Security is a company that fits into a small but growing sector of the information security community. It looks at ways to combat the increasingly sophisticated — and often untraceable — denial-of-service attacks targeting organizations of all kinds. The company says the bulk of the attacks today are not the spectacular, ideology-driven kinds that grab headlines.

“Most of the attacks, we know, involve things like unfair competition,” says Neil Roiter, research director of Corero Network Security Inc. “In other words, another company in your own market, your own sector, hitting you to knock you offline, to chase away customers, to lure customers to their own site.”

Roiter adds that when Corero surveyed companies in the U.S. subjected to DDoS attack, more than half believed they had been targeted by the competition. Then there are other attacks: ones that are essentially information age protection rackets.

“It’s like the old protection racket where guys come into your shop, your store, like in the movies and they say, ‘You have a nice place here. It would be a shame if something bad happened to it. Or happened to you.’

“You’ll get an email or phone call saying, ‘Pay us $50,000 by such and such a time, transfer it to this account, or we’re going to knock your site offline.'”

At first glance, Canada appears to have avoided the scourge of these sorts of “professional” DDoS attacks. David Black, manager of the RCMP technology crime branch’s cyber crime fusion team, says he hasn’t encountered many cases of DDoS extortion in Canada, though the threat is certainly present.

“Any company is vulnerable to this, in a sense,” says Black. “If their business depends on 24/7 network connection, extortion could be a reality.”

He adds that it’s “very rare” to catch a company knocking down a competitor’s site in Canada. But again, he cautions that this doesn’t mean they won’t occur in the future.

“We are at high risk, don’t get me wrong,” Black says. “Just the examples aren’t there.”

But Roiter suggests there may plenty of examples that the police simply don’t know about. Extortion, he says, is a crime that usually goes unreported, making it impossible to know how prevalent it is. While countries do differ in terms of the types of DDoS attacks they experience, certain industries are magnets for these types of crimes, Roiter says. He notes, for example, that Canada has a “healthy online gambling industry.”

“Gambling sites are very popular targets. There’s a lot of that that goes on in online gambling. And usually they’ll pay the ransom. Think of it this way: somebody gives you that call before World Cup match when you know you’re going to be doing hundreds of thousands, maybe a million dollars in business, and they say, ‘pay us $50,000′ or ‘£30,000′ or whatever it is. You’re going to pay.”

Roiter says part of the reason that companies are forced to give into criminals’ demands is not necessarily that they haven’t taken protective measures, but that they haven’t taken the right ones. They may be protected from network-based attacks and aren’t ready for the newer application-level attacks.

“The networking flooding attacks, the SYN flood, the UDP attacks, the ICMP attacks, those sorts of things are becoming less prevalent, and application-layer attacks, which use far less bandwidth and are much harder to detect and mitigate, are becoming dominant.”

To combat such attacks, Corero’s security platform uses analysis to examine whether a protocol is behaving properly and a rate-limiting technique that assigns it either a credit or demerit point. With enough demerits, the system will perceive a threat and immediately block it off.

The company has more than 20 major Canadian clients, including financial and government institutions. Dave Millier, CEO of Toronto-based Sentry Metrics Inc., says his company was the primary reseller for Top Layer Networks Inc., a company Corero acquired in 2011 that was one of the biggest players in the DDoS market.

Millier says in general, Corero’s “claim to fame” in preventing DDoS attacks is their ability to ensure business continuity in the midst of an attack. “They can sustain multi-hundred megabit attacks, while still allowing acceptable performance of the Web services that are running on the systems inside the network itself.”

This is accomplished by placing the Corero boxes outside of the network and firewall to identify and block threats more quickly. “All the data still comes to the Corero box, but it’s intelligent enough to actually in effect drop the connections before they ever get to the devices that are trying to be connected to.”

From the RCMP’s perspective, says Black, one of the best ways to combat DDoS crime in Canada is to seek guidance from the Canadian Cyber Incident Response Centre (CCIRC). Businesses can also report cyber threat incidents to the Centre. And as they increase, it will play an increasingly important role, he says.

“As this business grows and matures, for advice on how to prevent … (that’s) a great role for CCIRC,” he says.

Source: http://www.itworld.com/security/279089/new-ddos-silent-organized-and-profitable

UK’s largest hosting biz titsup in DDoS outrage

By Anna Leach

Posted in CIO, 23rd May 2012 12:36 GMT

A “massive” distributed-denial-of-service attack emanating from China has taken down 123-reg, the UK net biz that hosts 1.4 million websites.

In a statement on the its service status page just after midday today, 123-reg blamed attackers in China:

From 11:30 to 22:50 our network was undergoing a massive distributed denial of service attack from China. Due to the nature and size of this attack the firewall systems in place needed to be reconfigured to block the bad traffic and allow the good traffic through.

The attack, which appears to be ongoing, caused patchy service from the sites hosted by the company, which also has more than 4 million domains on its books. 123-reg promised that no emails would be lost, and messages would be queued up by the mail servers and sent shortly.

123-reg’s own site was down too in the aftermath of the traffic blast, which proved to be frustrating for users trying to find out what was going on. A 123-reg tweet at 12.30pm said that they were working through final issues and that services should be returning to normal.

123-reg is a brand name of Webfusion Ltd, part of the Host Europe group. WebFusion isn’t picking up the phone so we can’t get more detail on the hacks at this time. ®
Updated to add

A spokeswoman for 123-reg got in touch this afternoon to say:

We had contained the primary attack within 15 minutes of it happening. As the largest domain provider in the UK, and coupled with the increase of these types of attacks across Europe in particular, we know we are a prime target. We are still in the process of resolving this.

Source: http://www.theregister.co.uk/2012/05/23/123reg_ddos_attack/

By: Jeremy Nicholls

The internet is an ideal destination for like-minded people to come together.

This is as true for people who are reaching out to friends, colleagues and strangers to raise money for charity as it is for groups of individuals who plan to use cyber attacks to make political or ideological statements.

It is the latter group, ‘hacktivists’ as they have come to be called, who are having a profound impact on today’s security threat landscape.

Research from Arbor Networks’ annual Worldwide Infrastructure Security Report (a survey of the internet operational security community published in February) supports this. Ideologically motivated hacktivism and vandalism were cited by a staggering 66 per cent of respondents as a motivating factor behind distributed denial-of-service (DDoS) attacks on their businesses.

One of these attacks last month targeted the BBC – the attack took down email and other internet-based services and the BBC suspected the attack was launched by Iran’s cyber army in a bid to disrupt BBC Persian TV. Then there was the takedown of the Home Office website with the promise of a series of weekly attacks against the Government.

But it’s not just high-profile, politically connected organisations at risk. Any enterprise operating online, which applies to just about any type and size of business operating in the UK, can become a target because of who they are, what they sell, who they partner with or for any other real or perceived affiliations. Nobody is immune.

An influx of new attack tools entering the market are readily available and fast to download. This video demonstrates how many tools are available today to anyone with a grievance and an internet connection; furthermore, the underground economy for botnets is booming.

Botnets ‘for hire’ are popular – unskilled attackers are able to hire botnet services for bargain-basement prices. Just as an enterprise can subscribe to a technology provider or a cloud-based DDoS mitigation service, hacktivists can subscribe to a DDoS service to launch attacks.

While hacktivism has gained tremendous press attention recently, there is evidence of DDoS attacks being used for competitive gain. For example, the Russian security service FSB arrested the CEO of ChronoPay, the country’s largest processor of online payments, for allegedly hiring a hacker to attack his company’s rivals. He was charged with a DDoS attack on rival Assist that paralysed the ticket-selling system on the Aeroflot website.

This all has overwhelming implications for the threat landscape, risk profile, network architecture and security deployments for all service providers and enterprises.

With the democratisation of DDoS has come a change in the attacks themselves. The methods hackers use to carry out DDoS attacks have evolved from the traditional high-bandwidth/volumetric attacks to stealth-like application-layer attacks and state attacks on firewalls and IPS, with a combination of any or all three being used in some cases.

Multi-vector attacks are becoming more common. A high-profile attack on Sony in 2011 had the company blinded of security breaches that compromised user accounts on the PlayStation Network, Qriocity and Sony Online Entertainment, because it was distracted by DDoS attacks.

Whether used for the sole purpose of shutting down a network or as a means of distraction to obtain sensitive data, DDoS attacks continue to become more complex and sophisticated. While some DDoS attacks have reached levels of 100Gbps, low-bandwidth, application-layer attacks have become more prominent as attackers exploit the difficulties in detecting these ‘low-and-slow’ attacks before they impact services.

Of the respondents surveyed in Arbor’s report, 40 per cent reported an inline firewall and/or IPS failure due to a DDoS attack, and 43 per cent reported a load-balancer failure.

While these products have a place and are an important part of an organisation’s overall IT security portfolio, they are not designed to protect availability. To ensure the best possible protection, organisations should adopt a multi-layered approach – combining a purpose-built, on-premise device with an in-cloud service.

DDoS mitigation is not a short-term fix. At Arbor Networks, we believe that this is something that should sit within a company’s overall risk-planning considerations. Just as physical security can be impacted by fire or extreme weather, digital security includes evaluating threats to availability, namely DDoS attacks.

It is becoming increasingly important to develop a plan to identify and stop them before they impact services, just as you would with natural disasters such as earthquakes or floods.

It is time for companies to start considering DDoS in their business-continuity planning. If they don’t, and they are targeted, the resulting chaos and lack of tools extends the outage and increases the costs both from an immediate financial perspective, and in terms of longer-term brand damage.

 

Source: http://www.scmagazineuk.com/the-changing-face-and-growing-threat-of-ddos/article/241020/

TechWeekEurope learns an Anonymous splinter group took down Theresa May’s website, whilst targeting the ICO and the Supreme Court

On May 14, 2012 by Tom Brewster

Home secretary Theresa May saw her website taken down last night, in what TechWeekEurope understands was part of a widespread distributed denial of service (DDoS) campaign carried out by an Anonymous splinter group this weekend.

May’s website (tmay.co.uk) was down from around 9pm last night until approximately 10am this morning, it is believed.

Websites of the Supreme Court and the Information Commissioner’s Office (ICO) were down for large chunks of Sunday afternoon and evening too, although neither would confirm whether their sites were out of action due to a DDoS.

“We believe the website was targeted with a distributed denial of service. Mrs May treats threats of disruption to her website very seriously,” a spokesman for Theresa May said.

“Access to the ICO website was not possible yesterday afternoon,” an ICO spokesperson said. “We provide a public facing website which contains no sensitive information.”
Agent Smith talks…

The “voice” of a UK-based Anonymous group calling itself the ATeam told TechWeekEurope it had targeted and successfully taken down all three sites as part of the  campaign against the UK’s attitude to extradition.

Talking over Skype, the spokesperson, going by the name of Winston Smith, said the attack on the Theresa May website was part of OpTrialAtHome, which is protesting against the UK’s extradition treaty with the US. In particular, Smith pointed to the case of Gary Mckinnon, who remains in limbo over whether he will be extradited to the US on hacking charges.

The government has come under fire for leniency to the US. The debate over the extradition treaty was given a fresh lease of life in March, when the home secretary approved the extradition of British student Richard O’Dwyer, who is facing charges of conspiracy to commit copyright infringement and criminal infringement of copyright for his role in the TV Shack website.

“The Computer Misuse Act should be applied at the location of the crime, not at the alleged source,” he said. “The US-UK judiciary change source and location application of the law when it suits them. That was one aspect of the protest”

As for the ICO, the ATeam claimed it hit the data protection regulator because of a “failure to protect privacy.” “The ICO are not equiped, nor have the motivation to ensure that we are protected,” Smith said.

The hacktivist collective is also protesting the Leveson Inquiry, which it believes has not worked effectively in punishing the media for hacking offences. Smith said Leveson was a “complete failure”.

Smith, who claimed to be a former investment banker, said the ATeam, also known as the Anonymous Team, consisted of 10 people who were “the best in the world.” The group does not directly work with other Anonymous cells.

He said the average age of the group was around 40, making it different from the other Anonymous groups, which consist largely of “children” who “cause more harm than good” and have “no understanding of what they are doing”.

“There are many  anons who are actual extremists hiding behind the mask,” Smith added. “We believe the mask has to come off.”

Smith said another key protest will focus on the draft Communications Data Bill, which was announced in the Queen’s Speech last week. Via a source within government, TechWeekEurope exclusively revealed the Coalition was already believed to be backing away from one of the key aspects of the bill – the black boxes in which citizens’ comms data would be stored within ISPs.

In the coming weeks, the ATeam hopes to take down more websites, including those of the Leveson Inquiry, the Home Office and the Supreme Court.

Smith and Anonymous have been linked with previous hits on the Home Office websites, as well as attempts on GCHQ.

Anonymous has had another busy year. Earlier this month, the group took responsibility for hits on ISPs TalkTalk and Virgin in protest at the Pirate Bay ban they were forced to impose. However, the Pirate Bay posted a public notice denouncing the use of DDoS as a protest tool.

UPDATE: This afternoon, the ICO website has been experiencing further problems, with its website inaccessible at the time of publication. The same Anonymous team told TechWeekEurope it had hit the watchdog’s site, whilst the ICO said it was looking into the matter.

“We are reviewing the underlying causes for the website being down with the providers of our web hosting,” an ICO spokesperson said.

Smith said the group had targeted the ICO as part of a protest against the Leveson Inquiry. “The information commissioner has failed to address the multiple data protection breaches of citizens by the media,” he added.

 

Source: http://www.techweekeurope.co.uk/news/anonymous-strikes-down-theresa-may-website-in-extradition-protest-77894