Denial of Service Attack Archive

An Akron man is facing federal charges after he was arrested Thursday morning for allegedly hacking the city of Akron and Akron Police Department websites last year.

According to an FBI spokesperson, 32-year-old James Robinson was charged with knowingly causing the transmission of a program, information, code and command, and intentionally causing damage to a protected computer.

Authorities say Robinson carried out the cyber attacks on Aug. 1, 2017. The distributed denial of service (DDoS) attack overwhelmed both websites and took them down for a period of time.

On the day of the attack, a Twitter user named @AkronPhoenix420 tweeted a link to a YouTube video claiming credit for taking the websites out of service. The tweets included the hashtags #Anonymous and #TangoDown, authorities said.

The video showed a person in a Guy Fawkes mask and the statements “it’s time to teach the law a lesson,” and “Akron PD abuses the law.” The video also stated, “this week the city of Akron experienced system failures on multiple domains including their emergency TCP ports.”

Evidence linked the attack’s point of origin to an internet connection registered to Robinson. Additional evidence showed his phone was associated with the @AkronPhoenix420 Twitter account, police said.

The same Twitter account also claimed responsibility for numerous other DDoS attacks targeted at the Ohio Department of Public Safety, Department of Defense, and others. Police said the characteristics of those attacks had similarities with the one carried out in Akron.

Police executed a search warrant on Robinson’s home on May 9. Inside, they found a Guy Fawkes mask and a cell phone with a cracked screen that was seen in the video. Authorities said Robinson told them he was responsible for the Akron cyber attack as well as the DDoS attacks against the Department of Defense.

Source: https://www.news5cleveland.com/news/local-news/akron-canton-news/man-charged-in-federal-court-for-ddos-attack-on-akron-police-department

A crowdfunding initiative run by Together for Yes has suffered a DDoS attack.

The digital campaigning element of the imminent referendum in Ireland has seen a massive amount of change in a relatively short time.

Only this week did Facebook and Google place curtailments on digital advertising around the referendum, as Google banned all online ads relating to the Eighth Amendment from its platforms, while Facebook restricted advertising to registered Irish organisations and groups. As the online advertisements mention abortion, they would be restricted by Twitter’s existing ad policies.

Crowdfunding site hit

In another twist, a crowdfunding website for the national civil society group campaigning for a Yes vote was hit by a DDoS attack yesterday evening (9 May). The website, hosted by CauseVox, experienced a DDoS attack from within Ireland. It momentarily disrupted service and brought down CauseVox’s security infrastructure. The attack took place at 5.45pm, which would ordinarily have been a peak time for donations, and the website shut down for 30 minutes.

CauseVox also hosts crowdfunding pages for Amnesty International Ireland and Terminations for Medical Reasons – both groups that are campaigning for a Yes vote later in the month. Amnesty Ireland director Colm O’Gorman confirmed its website was down for approximately 45 minutes.

Sarah Monaghan, Together for Yes spokesperson, said: “We are continuing to investigate this extremely serious incident and are actively consulting security experts in the field to help identify the specific source of the attack, and have made a report to Gardaí.

“Together for Yes is a national grassroots movement which relies on small donations from large numbers of people. Our crowdfund initiative is a core element of the manner in which we resource our campaign and therefore we would take extremely seriously any attempt to undermine it.”

A spokesperson for Amnesty International explained the issue further to Siliconrepublic.com: “We were informed by CauseVox, the hosting platform, that there was a DDOS attack originating from Ireland. The website was interrupted at 5.45pm for around 45 minutes.

“This is obviously a serious issue, but also an indication of the lengths some will go to try shut down our efforts to counter such misinformation. We will continue our online campaign to counter misinformation across as many platforms as possible.”

The spokesperson noted that CauseVox is a reputable platform and that the site was up and running soon after the initial attack. They added that CauseVox had assured them that steps to mitigate such attacks in future were being taken. The incident is still under investigation.

DDoS explained

A DDoS (distributed denial of service) attack’s main aim is to make a target website, machine or network resource unavailable.

Usually, this type of cyberattack is accomplished by drowning a system (a server, for example) with data requests. This can then cause the website to crash. A database could also be hit with a massive volume of queries. In this particular case, the result is an overwhelmed website.

Impact from DDoS attacks can vary from mild disruption to total denial of service to entire websites, apps or even businesses.

DDoS attacks have grown exponentially in scale, and occur quite often in the cybercrime world. In the 1990s, a DDoS incident would have typically involved 150 requests per second, but attacks these days can exceed 1,000Gbps.

The Mirai botnet is a prime example of a modern DDoS attack. A massive attack also occurred on GitHub earlier in 2018, using a new technique called ‘memcaching’.

Updated, 4.28pm, 10 May 2018: This article was updated to include comments from an Amnesty International spokesperson.

Updated, 6.21pm, 10 May 2018: A correction has been made to clarify that individual websites hosted by CauseVox, and not the entire platform, were affected by this attack.

Source: https://www.siliconrepublic.com/enterprise/referendum-ddos-attack-ireland

A German hacker who launched DDoS attacks and tried to extort ransom payments from German and UK firms was sentenced last month to one year and ten months of probation.

The hacker, identified by authorities only as 24-year-old Maik D., but known online as ZZb00t, was fingered for attacking companies such as eBay.de, DHL.de, billiger.de, hood.de, rakuten.de, DPD.de, EIS.de, ESL.eu, but also some UK firms.

Hacker would launch DDoS attacks and then extort victims

ZZb00t would act following the same pattern. He’d first warn companies via Twitter, and then launch DDoS attacks, taking down services from hours to up to a day.

Maik, who in real life was an IT security consultant, would often criticize companies for their poor security practices.

“Sadly but true @[REDACTED] your servers just sucks,” he wrote in one tweet. “Never thought that [REDACTED] was so extremely poorly protected. It’s more than embarrassing,” he wrote in another.

He’d often claim his actions were only for the purpose of exposing security weakness, claiming he was a vulnerability hunter.

But Maik wouldn’t launch DDoS attacks just out of the kindness of the kindness of his heart so that companies would improve security. The hacker would often send emails promising to stop attacks for a payment in Bitcoin.

Hacker arrested after one company pressed charges

His DDoS and extortion campaigns have been tracked all last year by German blog Wordfilter.de [1, 2, 3, 4]. A recently released Link11 report details the hacker’s tactics.

The hacker was active at the same time as another DDoS extortion team named XMR Squad, and Link11 claims in its report that there was a working relationship and coordination of attacks between ZZb00t and XMR Squad members.

Link11 says it documented over 300 of ZZb00t’s tweets related to attacks he carried out before German authorities arrested the suspect on May 23, last year, putting an end to his attacks.

Source: https://www.bleepingcomputer.com/news/security/ddoser-who-terrorized-german-and-uk-firms-gets-off-without-jail-time/

With the rapid advancement of internet-based technologies, cybersecurity is a constant cloud looming on the horizon. As the technology evolves, so too, do the cybercriminals. Their constant efforts to steal valuable data and disrupt business through DDoS attacks are increasingly sophisticated.

Holding companies hostage and monetizing data through ransomware techniques is sadly par for the course. In fact, it’s estimated that cybersecurity alone costs the global economy some $450 billion a year. With IT professionals scrambling to stay one step ahead of the hackers, how can blockchain be used to aid cybersecurity?

No Single Point of Failure

The decentralized nature of the blockchain means that there is no single point of failure, nor one central database waiting to be hacked. Information is stored over several databases, and each block is linked to the next in the chain, making no “hackable” entrance. This provides infinitely greater security than our current, centralized structures.

Removing Human Error

The weakest link in our current system is simple logins that are vulnerable to being cracked. Blockchain can remove human error in cybersecurity, as businesses can authenticate devices without the need for a password system. Each device is provided with a specific SSL certificate, rather than a password. Human intervention becoming a potential hacker vector is consequently avoided.

Bitcoin advocate, adjunct professor at NYU Law School and practicing attorney, Andrew Hinkes, explains, “Using a public blockchain with proof of work consensus can remove the foibles of human mistake or manipulation.”

Detecting Tampering in Real Time

The blockchain can uncover and reject suspicious behavior in the system in real time. Say, for example, that a hacker tried to interfere with the information in a block. The entire system would be alerted and examine all data blocks to locate the one that stood out from the rest. It would then be recognized as false and excluded from the system.

Improving IoT Security

With the rise in IoT devices, come inherent security risks. We’ve already seen problems occur when trying to disable compromised devices that become part of botnets. According to Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, the blockchain can put an end to that:

“The blockchain, with its solid cryptographic foundation offering a decentralized solution can aid against data tampering, thus offering greater assurances for the legitimacy of the data.” This would mean that potentially billions of IoT devices could connect and communicate in a secure ecosystem.

Traceability

All transactions on the blockchain are highly traceable, using a timestamp and digital signature. Companies can easily go back to the root of each and every transaction to a given date and locate the corresponding party. Since all transactions are cryptographically associated to a user, the perpetrator can be easily found.

Says Hinkes, “Blockchains create an audit trail of all activity by its participants, which simplifies access control and monitoring.” This offers companies a level of security and transparency on every iteration.

The Takeaway

Currently, the impending threat of DDoS attacks comes from our existing Domain Name System. Blockchain technology would disrupt this completely by decentralizing the DNS and distributing the content to a greater number of nodes. This would make it virtually impossible for cybercriminals to hack and create a secure environment to host the world’s data.

Source: https://blocksleuth.com/category/ddos-attacks/

Multiple vendors this week say they have seen a recent spike in UDP attacks coming in via port 11211.

Multiple security vendors this week are warning about threat actors for the first time exploiting unprotected Memcached servers to launch dangerously large denial-of-service attacks against target organizations.

German DDoS mitigation service provider Link11, one of those to report on the new activity, says that over the past few days it has observed massive UDP attacks in which Memcached servers have been used as an amplification vector.

Each of the high-bandwidth attacks that Link11 observed in late February has exceeded 100 Gbps, with peaks of well over 400 Gbps. The attacks went on over multiple consecutive days and lasted up to 10 minutes on average, according to the company.

Akamai Technologies says this Monday it mitigated a 190 Gbps Memcached attack that generated over 17 million packets per second. Cloudflare, another vendor to report on the previously unseen attack type, says that over the past two days it has seen an increase in UDP attacks coming in via UDP port 11211, the port associated with Memcached services.

The company says the peak inbound UDP Memcached traffic it has seen so far is 260 Gbps, which is massive for a completely new amplification vector.

Memcached is open source software that many organizations install on their servers to increase performance speed. It works by caching data in system memory and is designed purely for use behind firewalls and on enterprise LANs, says Link11 CTO Karsten Desler. But many organizations have deployed Memcached hosts that are completely accessible from the public Internet. All that attackers have to do is to search for these hosts and then use them to direct high-volume DDoS traffic at a victim.

Desler says a recent Link11 scan showed at least 5,000 Memcached servers deployed on the public Internet that are open for exploit. These servers give attackers a way to generate massive volumes of DDoS traffic with even a relatively small bandwidth connection and minimal input.

“The amplification factor with Memcached servers is hundreds of times larger than DNS,” says Desler. “You need a lot fewer servers to get the same bandwidth [compared to] using DNS, NTP, or any other amplification vector,” he says.

With DNS amplification, for instance, an attacker might be able to generate a 50KB response to a 1KB request. But with a Memcached server, an attacker would be able to send a 100-byte request and get a 100MB or even 500MB response in return. In theory, at least, the amplification could be unlimited, Desler says.

Security researchers have previously warned about Internet-facing Memcached servers being open to data theft and other security risks. Desler theorizes one reason why attackers have not used Memcached as an amplification vector in DDoS attacks previously is simply because they have not considered it and not because of any technical limitations.

Exploiting Memcached servers is new as far real-world DDoS attacks are concerned, says Chad Seaman, senior engineer, with Akamai’s Security Intelligence Response Team. “A researcher had theorized this could be done previously,” Seaman says. “But as Memcached isn’t meant to run on the Internet and is a LAN-scoped technology that is wide open, he thought it could really only be impactful in a LAN environment.”

But the use of default settings and reckless administration overall among many enterprises has resulted in a situation where literally tens of thousands of boxes running Memcached are on the public-facing Internet, Seaman says. “And now the DDoS attackers have found them and appear to be capitalizing on them before significant clean-up efforts take place.”

What makes the attacks worrisome is that Memcached services are deployed on servers and in hardware pools with plenty of bandwidth and resources. Unlike typical reflected attacks with mostly static payloads — like CharGen and NTP — that cannot be easily modified, with Memcached reflection an attacker has much more control over the payload. This gives them to the potential to do a lot more damage, Seaman says.

The primary problem is that Memcached, with its lack of authentication or controls, is world readable and writable. It’s also very fast, as it does all data management directly in memory, and by default it supports key value stores of up to 1MB.”

So, if attackers can find suitably beefy machines and load them up with as many keys as they want, they can use the box to launch waves of traffic with amplification rates far exceeding the norm for DDoS attacks, Seaman says. “In theory, an attack could unleash gigs of traffic from a single machine with a packet that’s only a few dozen bytes.”

Mitigation at this point is basically blocking traffic from source port 11211 at the router, firewall, and elsewhere along the network edge, adds Domingo Ponce, director of global security operations at Akamai. Organizations also need to ensure they have the bandwidth to absorb the attacks while allowing legitimate traffic to remain up.

“It’s real and we’ve seen it,” Ponce says. “At the end of the day, your pipes better be big enough.”

Source: https://www.darkreading.com/attacks-breaches/memcached-servers-being-exploited-in-huge-ddos-attacks/d/d-id/1331149?