A record-breaking distributed denial-of-service (DDoS) attack Monday peaked at 400 Gbit/s, which is about 100 Gbit/s more than the largest previously seen DDoS attack.

DDoS defense firm CloudFlare disclosed the attack — against one of its customers — Monday. “Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year, tweeted CloudFlare CEO Matthew Prince, referring both to attacks that target vulnerabilities in the Network Time Protocol, as well as the March 2013 DDoS attack against Spamhaus, which peaked at a record-breaking 300 Gbit/s.

Prince said Monday’s attack caused trouble “even off our network,” suggesting that some upstream service providers — particularly in Europe — may have experienced slowdowns.

“Someone’s got a big, new cannon. Start of ugly things to come,” Prince tweeted. “These NTP reflection attacks are getting really nasty,” he added.

Who was the target of the attack? Prince declined to disclose the name of the CloudFlare customer being targeted, saying that unlike the attack against Spamhaus, his company didn’t have permission to name names.

CloudFlare’s assessment of the attack bandwidth appeared to be validated by Oles Van Herman, the head of French hosting firm OVH.com, who reported via Twitter that his company was seeing a DDoS attack with a bandwidth “far beyond” 350 Gbit/s. He confirmed that IP addresses involved in the DDoS attack — which according to one report first began Friday — traced back to his firm’s network, but noted, “Our network is the victim, not the source.”

Van Herman’s statement suggests that attackers spoofed the OVH.com IP address — as part of their record-breaking attack against a CloudFlare customer — which squares with how reflection attacks work. “A reflection attack works when an attacker can send a packet with a forged source IP address,” according to an overview of NTP reflection attacks published by CloudFlare programmer John Graham-Cumming. “The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim.”

Many reflection attacks previously targeted domain name system (DNS) servers. But lately, attackers have also begun to target NTP, which — like DNS — “is a simple UDP-based protocol that can be persuaded to return a large reply to a small request,” said Graham-Cumming.

Monday’s record-breaking DDoS attack isn’t the first time that large reflection attacks have been seen in the wild. According to a threat report released last month by DDoS defense firm Black Lotus, while HTTP and HTTPS attacks — including SYN floods, ACK floods, and application-layer attacks — remain the dominant type of DDoS attacks seen in the wild, “distributed reflection denial of service (DrDoS) attacks began to gain ground moving into 2014,” and were being used to support “huge volumetric attacks exceeding 100 Gbit/s in volume.”

Launching a reflection attack isn’t difficult, especially if the attacker taps a toolkit such as DNS Flooder v1.1, which DDoS defense firm Prolexic said first appeared on underground hacking forums about six months ago. In a threat report released Tuesday, the company warned that the DNS-attack toolkit has since been used to launch a number of reflection attacks, with some successfully amplifying the initial attack bandwidth by a factor of 50.

“This toolkit uses a unique method where attackers assign DNS servers with arbitrary names and utilize them as reflectors,” according to Prolexic’s report. “This new technique allows malicious actors to purchase, set up, and use their own DNS servers to launch reflection attacks, without the need to find open and vulnerable DNS servers on the Internet.”

But most DDoS attackers still rely on blended attacks, which gives them a better chance “to find weaknesses in the target’s defenses and to confuse security engineers who may be trying to mitigate the attack,” according to the Black Lotus report.

The number of DDoS attacks that included NTP reflection-attack techniques increased substantially after January 2, when US-CERT released vulnerability advisory CVE-2013-5211, detailing a network time protocol daemon (ntpd) bug that can be exploited to launch DDoS reflection attacks. “Specifically, an attacker can send a spoofed monlist command to a vulnerable ntpd which will respond to the victim at an amplification factor of 58.5,” according to Black Lotus. The firm said that beginning in early January, it saw “a massive shift in the tactics used by attackers,” when they began tapping the NTP vulnerability en masse.

How can businesses better prevent their servers from being used — or abused — by DDoS attackers who target NTP vulnerabilities? “As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7,” according to the US-CERT advisory. “However, in cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software.”

To further help lock down vulnerable systems, research firm Team Cymru has released secure NTP templates for Cisco IOS, Juniper Junos, and Unix. In addition, the NTP Scanning Project provides a free service to scan any server for NTP vulnerabilities.

Source: http://www.informationweek.com/security/attacks-and-breaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d-id/1113787?_mc=sm_iwk_edit

Internet services for the US Court system were taken down Friday afternoon for several hours by a Distributed Denial of Service attack.

Friday afternoon, shortly after GMail and Google+ went down, a distributed denial of service (DDOS) attack took down Internet systems for the US Courts.

pacer.tweet

Several sites were affected, including both the public web site for the courts and PACER, “… an electronic public access service that allows users to obtain case and docket information from federal appellate, district and bankruptcy courts…”

A report in Politico cites a federal court clerk from Arkansas saying that it appeared to be a “new national cyberattack on the judiciary,” but there is no verification for that at this time.

As of Friday evening all sites appeared to be functioning.

A part of the AfterDawn network was unreachable for 1-2 hours this morning (around 10:00 AM Eastern Time, 15:00 GMT). The outage was caused by a Distributed Denial of Service (DDoS) attack towards our servers that saturated the downlink of our rack cabinet. Most of the English language sites were available again within an hour, but much of the international sites were unreachable for nearly two hours.

DDoS attack a considerable amount if traffic is directed at a server or servers in an attempt to bring down the server or the network infrasturcture. In our case the 1GBps network link of the rack cabinet couldn’t handle all the incoming traffic. In response the traffic to the affected services was blackholed.

The attack did not cause security issues with our services.

We would like to apologize for the inconvenience caused by the outage.

Source: http://www.afterdawn.com/news/article.cfm/2014/01/11/ddos_attack_brings_a_brief_outage_to_afterdawn

Malvertising is a consistent challenge which can see reputable websites having frames infected to serve up any matter of attack.

 

After Yahoo beat down malicious advertisements which redirected users to the “Magnitude” exploit kit, which was enabled following the infection of a third party, Sean Power, security operations manager at DOSarrest, said that the problem is that many banner ad companies allow JavaScript or other code inside the advert.

 

“This is something we have seen before. In our case it was an advertising campaign that included a DDoS attack against one of our customers,” he said. “For companies allowing these ads on their website, the ads should be sanitised before displaying to the public.”

 

Power said that businesses should find a balance of risk versus profit to deal with this type of attack, and techniques could range from simply “trusting that all ads are malware free” to digitally signing each ad and only showing the ones that have been verified as malware free.
He also said the responsibility should lie with the ad company to sanitise all of its ads;  although he pointed out all of the bad press will be focused on the site displaying the ads (in this case Yahoo).  “No one is going to take kindly to a “not my responsibility” attitude when they got a virus after visiting your site,” Power concluded.

 

“As with any other business relationship – do your due diligence. Find out if the ad company allows code to be inserted in the ads.  Anytime your business relationships have the ability to directly alter your customer’s experience, they should be part of your security review,” he said.

 

Also hit by malicious adverts was video-sharing website Dailymotion, which according to research by Invincea delivered a malicious executable file as a ruse to “clean” their “infected” machine. Visitors were automatically redirected via Javascript to a website that distributed the fake infection warning, and this then automatically serves up the fake anti-virus.

 

Luis Corrons, technical director of PandaLabs, told IT Security Guru that adverts can lead to exploit kits and that has happened a number of times in the past. “In this kind of attack, the site serving the malicious advert has not been compromised, so I won’t say the responsibility to sanitise the ads lies directly with them,” he said.

 

“However, it is in the company’s own interest to protect people using their website. The company serving the ads is the one that should hold most of the responsibility, as it is their platform the one being abused.”

Source: http://www.itsecurityguru.org/responsibility-malvertising-lies-advert-platform-website/

New study reveals breadth — and apparent success — of the typical advanced persistent threat (APT)-type attack

Advanced persistent threat (APT)-style attacks may be even more pervasive than thought: Organizations have suffered on average of nine such targeted attacks in the past 12 months, a new study finds.

Even more chilling: Nearly half of those organizations say the attackers successfully stole confidential or sensitive information from their internal networks, according to a new report by the Ponemon Institute called “The State of Advanced Persistent Threats,” which was commissioned by Trusteer. Ponemon surveyed 755 IT and IT security professionals who have had firsthand experience with prevention or detection of targeted attacks on their organizations.

In line with previous reports from other sources, Ponemon found that it took victim organizations painfully long periods of time to even discover they had been hit by these attacks. On average, these attacks went undiscovered for 225 days — a delay respondents attribute to a lack of sufficient endpoint security tools and lean internal resources. According to the Verizon Data Breach Investigations Report (DBIR) released in August, organizations typically don’t discover that they’ve been breached for months and even years after the fact — and nearly 70 percent of them learn from a third party.

But in a dramatic shift from the Verizon report, the new Ponemon study found that most organizations say they are seeing a decline in “opportunistic” or random, nontargeted attacks and an increase in targeted ones. Some 67 percent say opportunistic attacks have not increased in the past 12 months, while 48 percent say targeted attacks have either rapidly increased or increased in same period. The survey defines opportunistic attacks as those where the attackers “have a general idea of what or whom they want to compromise” and only hack them if they encounter exploitable vulnerabilities. “In contrast, targeted attacks are those in which attackers specifically choose their target and do not give up until this target is compromised,” according to the report.

Verizon’s DBIR, meanwhile, found that 75 percent of all confirmed data breaches last year were the result of financially motivated cyberattacks, while 20 percent were cyberespionage for stealing intellectual property or other information for competitive purposes.

The divergent data here could be a function of organizations becoming more aware of targeted attacks, notes George Tubin, senior security strategist at Trusteer, an IBM company. “As the industry becomes more mature and defining our terms better of what’s opportunistic versus targeted, we’re getting some clarity,” he says.

Cyberespionage actors are getting stealthier, encrypting their malware to evade detection, for example, he says.

Nearly 70 percent of organizations say zero-day malware attacks are their biggest threats, and 93 percent say malware was the method of attack employed by the APT actors who targeted them. Half say those attacks originated via phishing.

Anti-malware and intrusion detection systems (IDS) are mostly no match for exploits and malware, according to the report. Some 76 percent of respondents say exploits and malware got past their AV software, and 72 percent say they got past their IDS.

IDS, IPS, and AV are the top three tools these organizations have in place for detecting targeted attacks. Around 60 percent say opportunistic attacks are easier to prevent than targeted ones, and 46 percent say they are easier to detect.

Java and Adobe Reader — two majorly exploited applications — are the biggest thorns in the sides of organizations when it comes to patching. Some 80 percent say Java is the hardest to keep updated with the latest patches; 72 percent, Reader; and 65 percent, Microsoft Windows. “Sixty-four percent say their company continued to operate one or more of these applications in the production environment knowing that vulnerabilities exist and a viable security patch was available but was not implemented,” the report says. And 73 percent say: “If I could, I would discontinue using Java.”

And not surprisingly, the root of much of the APT troubles in these organizations is lack of budget. Nearly 70 percent say their budgets are inadequate for fighting APTs, and 31 percent say they have sufficient in-house resources.

Trusteer’s Tubin says the actual numbers of APT targeted attacks per year, as well as the percentage of successful ones that exfiltrate information, are probably even higher than the Ponemon report shows. “Newer attack techniques that bypass detection technologies are not being picked up,” he says. This stuff is very stealthy … it sits on the network for a very long time, so it’s very likely these companies have additional APTs going on that they just haven’t discovered yet.”

Source: http://www.darkreading.com/attacks-breaches/businesses-suffer-an-average-of-9-target/240164400#!