Denial of Service Archive

In 2012, a number of DDoS attacks hit Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank and PNC Bank. These attacks have since spread across most industries from government agencies to local schools and are showing an almost yearly evolution, with the most recent focus being the Internet of Things (IoT).

In 2016, compromised cameras, printers, DVRs and other IoT appliances were used in a large attack on Dyn that took down major websites including Amazon, Twitter, Netflix, Etsy and Spotify.

Inside Distributed Denial-of-Service Threats

Although these large attacks dominate the headlines, they’re not what most enterprises will deal with day to day. The most common attacks are in the range of 20 to 30 Gbps or less, while larger attacks have been reported at 1.2 tbps.

Creating DDoS Defense

Security technology is becoming more sophisticated, but so are hackers, which means attacks can be much more difficult to mitigate now than in the past. Enterprises must be knowledgeable and prepared with mitigation techniques as the attacks continue to evolve.

DDoS mitigation comes in three models:

Scrubbing Centers

The most common DDoS mitigation option for enterprises is to buy access to a scrubbing center service. During an attack, traffic is redirected to the security provider’s network, where the bad traffic is “scrubbed out” and only good traffic is returned to the customer. This option is good for multi-ISP environments and can be used to counter both volumetric and application-based attacks. For added protection, some providers can actually place a device in your data center, but this is not as cost-effective as the cloud-based option.

ISP- Clean Pipes Approach

With the rise of DDoS attacks, many ISPs have started their own scrubbing centers internally, and for a premium will monitor and mitigate attacks on their customers’ websites. In this scenario, ISPs operate as a one-stop-shop for bandwidth, hosting and DDoS mitigation. But some ISPs are more experienced at this than others, so customers must be sure to thoroughly test and research the quality of the service offered by their ISPs.

Content Delivery Network Approach

The distributed nature of content delivery networks (CDNs) means that websites live globally on multiple servers versus one origin server, making them difficult to take down. Large CDNs may have over 100,000 servers distributing or caching web content all over the world. However, CDN-based mitigation is really only a good option for enterprises that require core CDN functionality, as porting content to a CDN can be a time-intensive project.

Source: https://www.forbes.com/sites/gartnergroup/2017/08/28/3-ways-to-defeat-ddos-attacks/#dda62aada78f

Attacks designed to overwhelm servers with internet traffic — known as distributed denial of service (DDoS) attacks — were less frequent this spring than last, according to Akamai’s second quarter report.

Akamai is a major seller of services to fight DDoS attacks. According to the company’s report, attacks declined by 18 percent between the beginning of April and end of June from the same period last year.

DDoS attacks use hacked computers and internet-connected devices to send abnormal levels of traffic to a target, forcing it to slow or crash.

A DDoS attack knocked out a critical internet switchboard known as Dyn, a domain name system provider, in October that rendered Twitter, Netflix and The New York Times unreachable. In May, the FCC reported a DDoS attack slammed its commenting system, though critics have questioned whether this was an attack or just a flood of commenters weighing in on the contentious issue of net neutrality.

The report notes that while attacks are down year over year, attacks jumped 28 percent from the first quarter. But, it cautions quarterly data may not be the best measure of trends.

It explains many attacks are tied to yearly events: “For most organizations, security events aren’t seasonal, they happen year round, without the ability to anticipate attacks. Unless you’re the security team for a merchant, in which case you need to plan for Black Friday and Cyber Monday, since they are likely to be the high water marks for attack traffic for the year.”

While attacks rose from the beginning of the year, attack severity declined. “[F]or the first time in many years” Akamai observed no attacks exceeding 100 gigabits per second. The report speculates one potential cause of lower severity attacks might be international success taking the networks of hijacked computers, known as botnets, offline.

Gaming companies were the victim in around 80 percent of attacks observed by Akamai in the second quarter, with one customer seeing more than 550 attacks. At the USENIX conference this year, Akamai researchers, teaming with other industry players and academics, presented research that the Dyn attack was actually intended as an attack on one of Dyn’s clients — the gaming platform PlayStation.

According to that presentation, Dyn crashed as it handled requests headed to PlayStation.

Source: http://thehill.com/policy/cybersecurity/347496-ddos-attacks-down-in-second-quarter

 

There are multiple stories about how the capture of the infamous Anonymous leader Sabu went down. Here’s one, and another about what he is doing today.

 The capture of Sabu was perhaps the most spectacular fall from grace this century — at least in the security world. He went from being the most beloved figure in the hacktivist group, Anonymous, to being its most hated.

From 2011 to 2012, Sabu was the unofficial leader of the online activist group. He organized effective distributed denial-of-service (DDoS) campaigns and enforced meaningful discipline within Anonymous where there hadn’t been any before — and hasn’t been since.

During Sabu’s reign, Anonymous became adept at handling the media, making effective use of Twitter to claim victory (even if they were hollow victories at best). Screenshots of “site down” pages were taken, tweeted, and trumpeted to the media, which eagerly wrote about the fearsome prowess of Anonymous. These were the salad days of Anonymous, when they seemed untouchable and everywhere.

To maximize the glory, Sabu collected a smaller cadre of hacktivists from Anonymous and named it LulzSec, which became famous very quickly for a series of high-profile hacks. Where many people passively supported the egalitarian goals of Anonymous, they were turned off by the actions of LulzSec, which were seen as creating much collateral damage to innocent citizenry.

The LulzSec attack of Sony Pictures is an illustrative example. Sony Pictures was running several prize giveaways as part of a marketing campaign. LulzSec used a basic SQL injection to breach the SonyPictures.com database and grabbed the usernames, passwords, and personal profiles of over one million registered users. They then dumped the data to Pastebin. LulzSec’s justification at the time was that Sony Pictures’ security was “… disgraceful and insecure: they were asking for it.” But the justification seemed little more than braggadocio to the community. When someone asked LulzSec why they would compromise the credentials of so many innocent television watchers, they replied “we do it for lulz” (the laughs).

Well, LulzSec wasn’t going to keep laughing for long.

By that time, Sabu had achieved an almost messianic following among Anonymous, and his twitter account, @anonymouSabu, had hundreds of thousands of followers. He was number one on the FBI’s most wanted cybercriminal list.

Screen Shot 2017-07-21 at 09.34.03

If that weren’t enough heat, Sabu had also attracted the attention of his polar opposite: the famous pro-U.S., ex-Special Ops service member and hacker known as The Jester. The Jester, too, was known for distributed denial-of-service attacks and had been spending months attacking Jihadist websites in order to drive their users into more centralized, resilient networks where they could be monitored by the various agencies that track terrorist activity.

As an ex-military operative, The Jester loathed Sabu. The two stood at opposite sides on nearly any given topic: WikiLeaks, Anonymous, the Occupy movement, the forum 4chan, the CIA, and the Palestinian/Israeli conflict, to name just a few. One notable exception was the Westboro Baptist Church (WBC), which is known for conducting anti-gay protests at military funerals. Both Sabu and the Jester agreed about this group, and they both attacked the WBC repeatedly.

During the first half of 2011, Sabu and The Jester tried repeatedly to uncover each other’s identity. The conflict between Sabu and the Jester reached a fever pitch at DEF CON 19, the nineteenth annual security convention in Las Vegas. Both hackers claimed to be in attendance along with the 20,000 other hackers, researchers, and undercover FBI agents. The Jester taunted Sabu to come out and meet him face-to-face. Sabu replied that of course he would not. The Jester was suspected to be in collusion with, or at least sanctioned by, the U.S. government. Sabu protested that if he were to expose his own identity, even privately, to The Jester, he would be immediately pounced upon by the authorities.

Sabu did not come out to meet The Jester, and a few months later we found out why. Sabu had already been nabbed and turned by the FBI. There are multiple stories about how the capture of Sabu went down. The simplest one goes like this: Of course, Sabu used anonymization networks to hide his identity and make source tracing impossible. Network anonymization would have been a basic precaution for the most-wanted cybercriminal at the time.

According to one story, Sabu forgot to activate his Tor link a single time, and logged into a server using his real IP address. The authorities traced his real IP address, and Sabu was quickly and quietly detained.

Sabu’s real name, as it turns out, was Hector Xavier Monsegur, from the Puerto Rican island of Viecques.  Monsegur had been implicated in, or bragged about dozens of illegal, high-profile hacks, not to mention multiple DDoS attacks. Facing a sentence of 25 to 100 years in prison, he struck a deal in which he agreed to turn over his friends from LulzSec to the authorities.

As part of Monsegur’s plea deal, the authorities were given access to his Twitter account and used it to collect information about Anonymous and LulzSec sympathizers. The judge in Monsegur’s case praised him for his “extraordinary cooperation” with the FBI. Armed with their informant’s information, the authorities apprehended the members of LulzSec. Many are now serving long jail sentences and owe hundreds of thousands of dollars in restitution to the organizations they once brazenly penetrated. Many in Anonymous felt betrayed by Monsegur’s cooperation with the authorities and publicly called him out. He has had little comment about it since.

Monsegur himself was freed on May 27, 2014 after time served. He now lives in New York City, where he, on occasion, gives interviews. He no longer Tweets as Sabu, but instead as Hector X. Monsegur.

With LulzSec members behind bars, and Monsegur neutralized, The Jester went back to attacking Jihadist websites and gathering intel on ISIS. He blogsvociferously against the Trump Administration and maintains a store of “JesterGear” when he’s not running his own Minecraft server.

The Jester remains undoxxed to this day.

Source: http://www.darkreading.com/partner-perspectives/f5/profile-of-a-hacker-the-real-sabu-/a/d-id/1329359

Hackers use misconfigured LDAP servers – Connectionless Lightweight Directory Access Protocol (CLDAP) – to provide a means to launch DDoS attacks.

More than 400 DDoS attacks taking advantage of misconfigured LDAP servers have been spotted by security researchers.

CLDAP DDoS attacks use an amplification technique, which takes advantage of the Connectionless Lightweight Directory Access Protocol (CLDAP): LDAP is one of the most widely used protocols for accessing username and password information in databases like Active Directory, which is integrated in many online servers. When an Active Directory server is incorrectly configured and exposes the CLDAP service to the Internet it is vulnerable to be leveraged to perform DDoS attacks.

Since its discovery in October 2016, researchers at Corero Network Security have observed a total of 416 CLDAP DDoS attacks, most of which are hosting and internet service providers. The largest attack volume recorded was 33 Gbps, with an average volume of 10 Gbps. The attacks averaged 14 minutes long in duration.

“These powerful short duration attacks are capable of impacting service availability, resulting in outages, or acting as a smoke screen for other types of cyber-attacks, including those intended for breach of personally identifiable data,” said Stephanie Weagle, vice president of marketing at Corero Network Security, in a blog post.

Stephen Gates, chief research intelligence analyst from NSFOCUS, told SC Media UK that in the quest to find new means of launching DDoS attacks, hackers have once again found open devices on the Internet running weak protocols that can be exploited for their personal gain.

“However, like any other reflective DDoS attack campaign, the number of available reflectors is of critical importance.  In addition, the amplification factor those reflectors afford is the second stipulation,” he said.

“In this case, the number of open devices on the Internet running CLDAP is relatively small, in comparison to open DNS and NTP reflectors; yet the amplification factor is respectable (~70x).  Surely, this attack technique is new, but it is not the worse seen so far.  This vector will likely be used in combination with other reflective attack techniques, and rarely used on its own.   Until the world’s service providers fully implement BCP-38, similar discoveries and resulting campaigns will continue to plague us all.”

Bogdan Botezatu, senior E-Threat analyst at Bitdefender, told SC that a CLDAP attack is designed around third parties: an entity running a misconfigured instance of CLDAP, a victim and an attacker.

“The attacker would ask the CLDAP infrastructure to retrieve all the users registered in the Active Directory. Because the attacker makes this query look like it was initiated by the victim by replacing the originating IP address with the victim’s, the CLADP service will actually send the answer to the victim,” he said.

“Subsequently, the victim finds itself being bombarded with the information they did not request. If the attacker can harness enough power, the victim’s infrastructure will crash under a load of unsolicited information.”

He said that organisations could deploy strong, restrictive firewall policies for inbound traffic. “Load balancing and specialised hardware can also help organisations absorb the impact,” said Botezatu.

Source: https://www.scmagazineuk.com/more-than-400-ddos-attacks-identified-using-new-attack-vector–ldap/article/652939/

Adam Mudd jailed for two years for creating attack-for-hire business responsible for more than 1.7m breaches worldwide.

A man has been jailed for two years for setting up a computer hacking business that caused chaos worldwide.

Adam Mudd was 16 when he created the Titanium Stresser program, which carried out more than 1.7m attacks on websites including Minecraft, Xbox Live and Microsoft and TeamSpeak, a chat tool for gamers.

He earned the equivalent of more than £386,000 in US dollars and bitcoins from selling the program to cyber criminals.

Mudd pleaded guilty and was sentenced at the Old Bailey. The judge, Michael Topolski QC, noted that Mudd came from a “perfectly respectable and caring family”. He said the effect of Mudd’s crimes had wreaked havoc “from Greenland to New Zealand, from Russia to Chile”.

Topolski said the sentence must have a “real element of deterrent” and refused to suspend the jail term. “I’m entirely satisfied that you knew full well and understood completely this was not a game for fun,” he told Mudd. “It was a serious money-making business and your software was doing exactly what you created it to do.”

Mudd showed no emotion as he was sent to a young offender institution.

During the two-day hearing, Jonathan Polnay, prosecuting, said the effect of Mudd’s hacking program was “truly global”, adding: “Where there are computers, there are attacks – in almost every major city in the world – with hotspots in France, Paris, around the UK.”

The court heard that Mudd, who lived with his parents, had previously undiagnosed Asperger syndrome and was more interested in status in the online gaming community than the money.

The court heard that the defendant, now 20, carried out 594 of the distributed denial of service (DDoS) attacks against 181 IP addresses between December 2013 and March 2015.

He has admitted to security breaches against his college while he was studying computer science. The attacks on West Herts College crashed the network, cost about £2,000 to investigate and caused “incalculable” damage to productivity, the court heard.

On one occasion in 2014, the college hacking affected 70 other schools and colleges, including Cambridge, Essex and East Anglia universities as well as local councils.

Mudd’s explanation for one of the attacks was that he had reported being mugged to the college but claimed no action was taken.

Polnay said there were more than 112,000 registered users of Mudd’s program who hacked about 666,000 IP addresses. Of those, nearly 53,000 were in the UK.

Among the targets was the fantasy game RuneScape, which had 25,000 attacks. Its owner company spent £6m trying to defend itself against DDoS attacks, with a revenue loss of £184,000.

The court heard that Mudd created Titanium Stresser in September 2013 using a fake name and address in Manchester. He offered a variety of payment plans to his customers, including discounts for bulk purchases of up to $309.99 for 30,000 seconds over five years as well as a refer-a-friend scheme.

Polnay said: “This is a young man who lived at home. This is not a lavish lifestyle case. The motivation around this we tend to agree is about status. The money-making is by the by.”

When he was arrested in March 2015, Mudd was in his bedroom on his computer, which he refused to unlock before his father intervened.

Mudd, from Kings Langley in Hertfordshire, pleaded guilty to one count of committing unauthorised acts with intent to impair the operation of computers; one count of making, supplying or offering to supply an article for use in an offence contrary to the Computer Misuse Act; and one
count of concealing criminal property.

Ben Cooper, defending, appealed for his client to be given a suspended sentence. He said Mudd had been “sucked into” the cyber world of online gaming and was “lost in an alternate reality” after withdrawing from school because of bullying.

Mudd, who was expelled from college and now works as a kitchen porter, had been offline for two years, which was a form of punishment for any computer-obsessed teenager, Cooper said.

The “bright and high-functioning” defendant understood what he did was wrong but at the time he lacked empathy due to his medical condition, the court heard.

Cooper said: “This was an unhappy period for Mr Mudd, during which he suffered greatly. This is someone seeking friendship and status within the gaming community.”

But the judge said: “I have a duty to the public who are worried about this, threatened by this, damaged by this all the time … It’s terrifying.”

Source: https://www.theguardian.com/technology/2017/apr/25/teenage-hacker-adam-mudd-jailed-masterminding-attacks-sony-microsoft