Given that Distributed Denial of Service (DDoS) attacks are becoming more frequent, it is a good time to review the basics and how you can fight back.

A DDoS is an attack method used to deny access for legitimate users of an online service.  This service could be a bank or e-commerce website, a SaaS application, or any other type of network service. Some attacks even target VoIP infrastructure.

An attacker uses a non-trivial amount of computing resources, which they either built themselves or, more commonly, by compromising vulnerable PC’s around the world, to send bogus traffic to a site.   If the attacker sends enough traffic, legitimate users of a site can’t be serviced.

For example, if a bank website can handle 10 people a second clicking the Login button, an attacker only has to send 10 fake requests per second to make it so no legitimate users can login.  There are a multitude of reasons someone might want to shut a site down: extortion, activism, competitive brand damage, and just plain old boredom.

DDoS attacks vary in both sophistication and size.  An attacker can make a fake request look like random garbage on the network, or more troublesome, make the attack traffic look exactly like real web traffic.  In addition, if the attacker has enough computing resources at their disposal, they can direct enough traffic to overwhelm the target’s bandwidth.

The simplest types of attacks are Layer 3 and 4 attacks (IP and UDP/TCP in the OSI stack).  These simply flood the network and servers such that they can no longer process legitimate network traffic because the attacks have saturated the network connectivity of the target.  A more complex Layer 7 attack “simulates” a real user trying to use a web application by searching for content on the site or clicking the “add to cart” button.

There are four main types of protection from DDoS attacks:

* Do It Yourself.  This is the simplest and least effective method.  Generally someone writes some Python scripts that try to filter out the bad traffic or an enterprise will try and use its existing firewalls to block the traffic.  Back in the early 2000s, when attacks were pretty simple, this could work. But these days, attacks are far too large and complex for this type of protection.  A firewall will melt quite quickly under the load of even a trivial attack

* Specialized On-Premises Equipment. This is similar to “Do It Yourself” in that an enterprise is doing all the work to stop the attack, but instead of relying on scripts or an existing firewall, they purchase and deploy dedicated DDoS mitigation appliances.  These are specialized hardware that sit in an enterprise’s data center in front of the normal servers and routers and are specifically built to detect and filter the malicious traffic.  However, there are some fundamental problems with these devices:

• They are costly CAPEX purchases that may sit around and do nothing until you get attacked.  They also can be expensive to operate.  You need skilled network and security engineers to work these devices – there is no magic “mitigate DDoS” button.

• They must be constantly updated by the operations team to keep up to date with the latest threats.  DDoS tactics change almost daily.  Your team must be prepared to update these devices to the latest threats.

• They can’t handle volumetric attacks.     It’s unlikely that an enterprise would have enough bandwidth coming in to handle the very large DDoS attacks occurring today. These hardware appliances don’t do any good when the attack exceeds network capacity.

* Internet Service Provider (ISP). Some enterprises use their ISP to provide DDoS mitigation.  These ISP’s have more bandwidth than an enterprise would, which can help with the large volumetric attacks, but there are three key problems with these services as well:

• Lack of core competency: ISP’s are in the business of selling bandwidth and don’t always invest in the required capital and resources to stay ahead of the latest DDoS threats.  It can become a cost center to them – something they have to provide, so they do it as cheaply as possible.

• Single provider protection:  Most enterprises today are multi-homed across two or more network providers to remove the single point of failure of a provider.  Having two providers is a best practice to maximize uptime.  ISP DDoS mitigation solutions only protect their network links, not the other links you might have, so now you need DDoS mitigation services from different providers, doubling your cost.

• No cloud protection:  Similar to the above, a lot of Web applications these days are split between enterprise-owned data centers, and cloud services like Amazon AWS, GoGrid, Rackspace, etc.  ISP’s can’t protect traffic on these cloud services.

* Cloud Mitigation Provider.  Cloud mitigation providers are experts at providing DDoS mitigation from the cloud.  This means they have built out massive amounts of network bandwidth and DDoS mitigation capacity at multiple sites around the Internet that can take in any type of network traffic, whether you use multiple ISP’s, your own data center or any number of cloud providers. They can scrub the traffic for you and only send “clean” traffic to your data center.

Cloud mitigation providers have the following benefits:

• Expertise:  Generally, these providers have network and security engineers and researchers who are monitoring for the latest DDoS tactics to better protect their customers.

• Lots of bandwidth: These providers have much more bandwidth than an enterprise could provision on its own to stop the biggest volumetric attacks.

• Multiple types of DDoS mitigation hardware:  DDoS attacks are extremely complex. There is a need for multiple layers of filtering to be able to keep up with the latest threats.  Cloud providers should take advantage of multiple technologies, both commercial off the shelf (COTS) and their own proprietary technology to defend against attacks

Cloud mitigation providers are the logical choice for enterprises for their DDoS protection needs.  They are the most cost effective and scalable solution to keep up with the rapid advances in DDoS attacker tools and techniques.

Source: http://www.networkworld.com/news/tech/2013/091713-defending-against-ddos-273919.html?page=1

Interested in denying someone access to the Internet? Ten dollars provides a very nice DDoS (Distributed Denial of Service) platform, featuring one 60-second long attack that can be used as often as needed for an entire month. For those wanting more, 169 dollars provides the ultimate DDoS, three two-hour long attacks, also rentable by the month.

Bewildered by all the different suppliers? This forum reviewed the major cloud-based DDoS platforms, coming up with these favorites.

top10Booters 2.jpg

Notice the slide’s title refers to Booters; the industry calls for-hire DDoS attacks booters when they have an online customer interface. The slide also refers to stressers [sic]. That’s an attempt to align with legitimate businesses that stress-test websites on how well they handle large volumes of incoming traffic.

I first became aware of booters when my friend and security blogger, Brian Krebs, reported in this post that someone initiated a Booter DDoS attack against his blog site. After reading Brian’s post, I realized DDoS attacks were no longer just in the realm of experienced and knowledgeable hackers. For a nominal fee, anyone can easily wreak havoc on someone else’s Internet experience.

Wanting to learn more, I did some digging: coming across an interesting paper by Mohammad Karami and Damon McCoy of George Mason University, “Understanding the Emerging Threat of DDoS-As-a-Service.”

Mohammad and Damon start out by mentioning that researchers know little about the operation, effectiveness, and economics of Booters. A fortunate event changed that. It seems the operations database for one specific Booter — twBooter— became public, allowing Mohammad and Damon to gain significant insight into the inner workings, including:

  • The attack infrastructure
  • Details on service subscribers
  • Information on the targets

In an interesting departure from typical DDoS operations, Mohammad and Damon noticed Booter developers prefer to rent servers instead of compromising individual PCs: “Compared to clients, servers utilized for this purpose could be much more effective as they typically have much higher computational and bandwidth capacities, making them more capable of starving bandwidth or other resources of a targeted system.”

Next, Mohammad and Damon were able to piece together twBooter’s two main components: the attack infrastructure and the user interface (shown below).

 

twBooters 5.jpg

The user interface slide has a window showing the different available attack techniques. Using the database, Mohammad and Damon isolated the most popular attacks:

 

[T]wBooter employs a broad range of different techniques for performing DDoS attacks. This includes generic attack types such as SYN flood, UDP flood, and amplification attacks; HTTP-based attacks including HTTP POST/GET/HEAD and RUDY (R-U-Dead-Yet); and application-specific attacks, such as slowloris, that targets Apache web servers with a specific misconfiguration.

The gentlemen mentioned the above DDoS techniques accounted for more than 90 percent of the twBooter attacks. To determine the effectiveness of twBooter, Mohammad and Damon subscribed to twBooter, and set about attacking their own server. First up, the UDP attack: “The UDP flood used a DNS reflection and amplification attack to generate 827 MBit/sec of DNS query response traffic directed at our server by sending out large numbers of forged DNS request queries that included our server’s IP address as the IP source address.”

Next, the SYN attack: “For the SYN flood, we observed 93,750 TCP SYN requests per second with randomly spoofed IP addresses and port numbers directed at our server in an attempt to utilize all of its memory by forcing it to allocate memory for a huge number of half-open TCP connections.”

The following slide provides details.

 

table.Booters 6.jpg

To recap, twBooter exemplifies the new trend in DDoS platforms: a reasonably-priced, user-friendly DDoS platform fully capable of bringing down websites, even those with significant bandwidth accommodations.

Something else I found interesting, even though twBooter did not make the Top 10 (maybe the data leak had something to do with it), Mohammad and Damon determined twBooter earned its owners in excess of 7,000 dollars a month. That amount resulted from customers launching over 48,000 DDoS attacks against 11,000 separate victims.

 

Final thoughts

Oddly enough, booters started out filling a niche, one that allowed online gamers to momentarily knock opponents out of the game, gaining themselves a distinct, albeit unfair, advantage. Other enterprising underworld individuals decided to repurpose booters into powerful DDoS platforms for hire — simple, yet effective.

Source: http://www.techrepublic.com/blog/it-security/whats-better-than-creating-your-own-ddos-renting-one/

When hackers take down a website, their weapon of choice is often a less-than-subtle technique known as a denial of service attack, which merely overwhelms a site’ servers with junk traffic. But the trick that the hacker group known as the Syrian Electronic Army pulled against the New York Times, Twitter, and the Huffington Post UK Tuesday seems to have been very different–and potentially far more invasive.

On Tuesday evening, Australian domain registrar Melbourne IT confirmed the security community’s suspicions that it was the weak link that allowed the outages of the Times’ website, and very likely the attacks on Twitter and the Huffington Post as well. Melbourne IT, like other domain registrars, serves as an authority for the Web’s domain name system, (DNS) telling DNS servers how to translate the domain names users type into their browsers or click on into the numerical IP addresses of the servers that host those websites. According to Melbourne IT, one of its resellers’ accounts was compromised, giving the attackers the ability to change which DNS servers resolve their clients’ sites, essentially hijacking the sites’ traffic potentially including all web traffic and email. (The battle for control of the domains still continues for the Times–NYTimes.com remained offline as of Wednesday night.)

“We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies,” Melbourne IT’s head of corporate communications wrote to me in an emailed statement.

The pro-Syrian government provocateur hackers known as the Syrian Electronic Army, however, haven’t left the attack’s source to the imagination. “Hi @Twitter, look at your domain, its owned by #SEA :)” the group tweeted Tuesday afternoon, along with the link to Twitter’s domain information, showing that they had changed it to the SEA’s. The group also temporarily replaced the Times’ site with a page showing their logo, and a message that read “Hacked by Syrian Electronic Army.”

That level of takeover is far more serious than merely knocking a site offline or defacing it, points out David Ulevitch, who runs the DNS service OpenDNS and monitored the day’s hijinks. “This isn’t just an embarrassment for the New York Times, but a serious security threat,” he says. He suggests that confidential emails–say, from sensitive sources in Syria–could have been compromised, too. “If email could be redirected and captured by the Syrian Electronic Army, you’ve blown your confidential status.”

Worse yet, an attacker could use the trick to set up a fake version of the site, complete with a seemingly valid SSL encryption certificate, and siphon users’ credentials, suggests HD Moore, chief research officer at the security firm Rapid7. “You wouldn’t have to man-in-the-middle a site for very long to get a crapload of credentials,” he says. “They could have harvested for 15 minutes and gotten 10,000 passwords.”

I’ve reached out to the New York Times and Twitter for more information about the extent of these potential breaches, and I’ll update this post if I hear back from them.

Update: Twitter security spokesperson Jim Prosser writes back that the Melbourne IT attackers had only limited access to its domain registration details and couldn’t have pulled off the scenario that Moore describes, only changed the “Whois” details. “The perpetrators weren’t able to change the actual DNS address of the domain — just the written registration details,” writes Prosser. He declined to comment further on the record, and referred me to Twitter’s official statement on the hack, which states that “no Twitter user information was affected by this incident.”

Moore points out that Melbourne IT may have been lucky that its Syrian attackers limited their attack to Twitter, the Times, and the Huffington Post UK. In fact, 26 of the top 250 sites on the Web based on Alexa rankings use Melbourne IT as a domain registrar, including Google.com, Microsoft.com, Yahoo.com, Aol.com, and Adobe.com. It’s not clear why the hackers didn’t use their access to go after more of those high-profile sites. “Someone could have gone much further with this and had a much more devastating impact,” he says.

In its statement, Melbourne IT says that some of its clients were protected by a “registry lock” feature that would require further verification for any changes to a domain registry. “For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including .com,” the statement reads. “Some of the domain names targeted on the reseller account had these lock features active and were thus not affected.”

But Moore says he checked Twitter.com’s domain registration as the attack took place and could see that it had implemented what looked like that “lock” safeguard, which seems to have failed to prevent the domain hijacking. “Whatever Twitter did, it didn’t make a difference,” he says. (Update: As I noted above, Twitter disputes this.)

The Syrian Electronic Army, which supports Syrian dictator Bashar Al-Assad’s regime in the country’s widening civil war, has emerged over the last year as a frequent disruptive force online. Using phishing attacks, it’s hijacked the Twitter feeds of Justin Bieber, Angelina Jolie, the BBC, CBS, NPR, and even the Onion. In April, it used the AP feed to deliver false news that President Obama had been injured in an explosion at the White House, causing a temporary 150 point dive in the stock market’s Dow Jones Industrial Average.

Though the Times continues to battle its Syrian foes, Moore argues that the SEA could have used its Melbourne IT attack to inflict far more serious damage than any of those previous hacks. “This comes off as kind of clumsy and a waste of a serious bug,” he says. “It could have gone a whole lot worse.”

Source: http://www.forbes.com/sites/andygreenberg/2013/08/28/syrian-hack-of-nytimes-com-and-twitter-could-have-inflicted-much-more-than-mere-embarrassment/

 

 

 

 

China’s Internet was taken down in an attack on Sunday that could have been perpetrated by sophisticated hackers or an individual, security experts say.

According to The Wall Street Journal, which earlier reported on the outage, China on Sunday was hit with what the government has called the biggest distributed denial-of-service attack ever to rock its “.cn” sites. The attack, which lasted up to four hours, according to security company CloudFlare, left many sites with the .cn extension down. According to the Journal, parts of the affected sites were still accessible during the outage, due mainly to site owners storing parts of their pages in cache.

In a statement on the matter, the government-run China Internet Network Information Center confirmed the attack, saying that it was indeed the largest the country has experienced. The center said it is gradually restoring services and will work to improve the top-level domain’s security to safeguard against similar attacks.

It’s not currently known who attacked the Chinese domain. However, in a statement on the matter, CloudFlare CEO Matthew Prince said that while it’s possible a sophisticated group of hackers took .cn down, “it may have well been a single individual.”

Source: http://asia.cnet.com/ddos-attack-targets-chinas-internet-sites-down-for-hours-62222194.htm

Early Sunday morning, part of the Chinese Internet went down in what the government is calling the largest denial-of-service attack it has ever faced. According to the China Internet Network Information Center, the attack began at 2 a.m. Sunday morning and was followed by an even more intense attack at 4 a.m. The attack was aimed at the registry that allows users to access sites with the extension “.cn,”. As originally reported by the Wall Street Journal, the attack is perhaps more an indicator of just how susceptible the global Internet infrastructure is to these types of attacks.

China has one of the most sophisticated filtering systems in the world, period. Furthermore, China’s government is rated by analysts as having one of the highest abilities to carry out cyber attacks. Despite both of these points, China is not capable of defending itself from an attack.

DOS (Denial of Service) or DDoS (Distributed Denial of Service) attacks are the single largest threat to our Internet and the Internet of Things. The more our world becomes connected and dependent on the Internet, the more opportunities there are to thwart everyday lifestyle necessities in our IoT. Here are some of the more recent examples:

Latest DOS attacks around the world

 

  • Anonymous Demands Recognition of DDoS as a Legal Form of Protest

We all know that how annoying DDoS is, and just how inconvenient it becomes to access a much-needed site. While we may curse the people behind DDoS attacks, the renowned hacktivist Anonymous group is looking to get such attacks the status of legal protest.

According to Anonymous, DDoS is done to send a message to the affected party, which is why they’ve petitioned the Obama administration to recognize DDoS as a legal form of protest. In the petition, the Anonymous group also demanded that anyone who has been jailed for participating in a DDoS attack should be immediately released, and anything related to the attack should be wiped from their criminal records.

  • FBI Enlists US Bank’s Help To Head Off Iranian Cyber Attacks

In order to combat a wave of cyberattacks that have rattled the US banking industry since last year, the FBI has given certain banking executives extensive briefings of their classified investigations. The collaboration is part of a new policy being initiated by the FBI to try and foster closer cooperation between authorities and the private sector.

  • Did Hackers Take Down NASDAQ?

News emerged that a significant disruption caused the NASDAQ trading market to shut down for more than three hours starting at 9:20am PST on August 22nd. The problem manifested itself in the quote processing system, prompting the first awareness of the issue.

This seems eerily reminiscent of another NASDAQ incident in May 2013 during which Facebook’s IPO was bungled due to a “software glitch”. That incident prompted a $10 million fine for NASDAQ, but more importantly a rising lack of confidence has emerged in investor sentiment surrounding the technical elements of today’s trading systems. People have questioned whether the structure itself is flawed, and whether there is an overabundance of dependence on technology baked into both trading strategies and automated trading systems.

  • CyberBunker Launches “World’s Largest” DDoS Attack, Slows Down The Entire Internet

A massive cyberattack launched by the Dutch web hosting company CyberBunker has caused global disruption of the web, slowing down internet speeds for millions of users across the world, according to a BBC report. CyberBunker launched an all-out assault, described by the BBC as the world’s biggest ever cyberattack, on the self-appointed spam-fighting company Spamhaus, which maintains a blacklist used by email providers to filter out spam.

  • Bitcoin Under Attack? Dwolla & Mt. Gox Both Hit With DDoS Attacks Overnight

Another day, another DDoS attack. This time round, it’s the turn of alternative online payments provider Dwolla, which saw its website taken offline for a brief period of time. The site has since come back online, but the company said in a statement that the some users may still experience issues as the attack remains ongoing.

Source: http://siliconangle.com/blog/2013/08/26/5-notorious-ddos-attacks-in-2013-big-problem-for-the-internet-of-things/?angle=silicon