Kaspersky Lab has added generic protection for an attack form they say is on the rise: brute force RDP attacks.

RDP stands for Remote Desktop Protocol and is the protocol for Windows Remote Desktop and Terminal Server. It is sometimes used for remote user access to servers, but very commonly used for remote administrator access. RDP “remotes” the Windows UI, allowing a remote user with an RDP client to log into Windows and use it as if local.

A brute force RDP attack would scan IP ranges and TCP port ranges (the default being 3389) for RDP servers, which could be either client or server systems. Once an attacker finds an RDP server, he would attempt to log on, particularly as Administrator. The IDS in Kaspersky products will now detect this type of attack as Bruteforce.Generic.RDP.

As Kaspersky says, a successful RDP attack against a server has the potential to be quite lucrative. But even as they call it a “brute force” attack, the Kaspersky account overstates its sophistication. Very simple and obvious actions on your part can prevent this attack from having any success:

  • Use complex passwords, especially for accounts with administrator access
  • Consider disabling the Administrator account and using a different account name for that access
  • Set the system to lock a user out for a period of time after some number of failed login attempts. Numerous group policies for these rules have been in Windows for a long time
    account-lockout-threshold
  • Require two-factor authentication, especially for administrator access

These guidelines are best practice for many reasons, not just to block brute force attacks, but they are good general advice against brute for attacks, not just those for RDP. As the Kaspersky story says, last year there was a major brute force campaign of this type against WordPress accounts. It was so intense that it was effectively a DDOS. Good password and account lockout policies can’t stop a DDOS, but they can stop a brute force login attack.

Source: http://www.zdnet.com/brute-force-rdp-attacks-depend-on-your-mistakes-7000031071/

DDoS: A problem we can’t ignore

If your credit union has a server with public access, you have no choice but to consider the threat of a DDoS attack with the utmost seriousness.  Now that the larger banks have shored up their defenses, malevolent actors are focusing their sights on a new line of targets: smaller financial institutions.

Just how seriously your institution could be impacted by a DDoS attack depends on how much of your credit union’s business and reputation depends on access and availability of your online services. If your online banking operations or other online services are down for an extended period of time, there is the potential for significant damage to  your credit union’s reputation.

DDoS preparedness is best considered to be  a strategy. The approach should be similar to the strategy used for disaster recovery: understand the risk, know your environment, perform up-front front planning and preparation, document your findings and your plans, do occasional tests of your plan, and–finally–revisit  your strategy on an ongoing basis.

A 7 Point Approach to DDoS Preparedness

1. Conduct a company-wide DDoS risk assessment

Every credit union should be accustomed to the process of documenting formal risk assessments, taking into consideration both NCUA guidance and best practices. Conducting a company-wide DDoS risk assessment is the essential first step in DDoS preparedness.

By evaluating your environment and taking into account specific points of exposure, you should be able to zero-in on most likely targets, such as home banking, public facing  websites and other online services.

With this information in-hand you should then work to identify the potential impact of an attack on your business. What losses could your institution incur in the form of lost revenue or reputational damage?

2. Create an action plan to prepare for and respond to DDoS attacks

Armed with the information you derive from your risk assessment, you are then better positioned to move to the next step: create an action plan to prepare for and respond to DDoS attacks.

If you haven’t prepared for an attack, your response is likely to be slow, disorganized and therefore ineffective.

We recommend that you develop a plan – much like the plan that you already have for the Unintended Disclosure of Non-Public Member Information. This should augment your existing Incident Response Plan, with a focus on the various DDoS-centric activities.

As with disaster recovery planning, the use of different scenarios to help shape specific responses is a constructive way to go about developing and detailing this plan.  Taking  into account the various types of DDoS attacks, such as Protocol Attacks, Application Attacks or Bandwidth Attacks,you can adjust scenario duration and plans based on the specific servers subjected to the attack.

An extremely important element of your action plan, which, unfortunately, is often forgotten or ignored, is to include the specific steps you will take to monitor the other systems that are not directly impacted by the DDoS.

Today DDoS attacks are frequently used as a smokescreen to create a crisis designed to distract your staff while something else – usually more nefarious – occurs elsewhere in your credit union.  A DDoS attack needs to be directly addressed, but this should also trigger heightened awareness for of other attacks that may be occurring against your enterprise.

3. Know your infrastructure components

How well documented is your enterprise infrastructure? Do you have a complete inventory and map of all of your components? How frequently is this updated?

Having one or more IT people that know everything about your systems isn’t enough. If your infrastructure inventory isn’t documented and current, you are not prepared for an attack. Your enterprise infrastructure inventory will help you focus on the specific types of attacks you can withstand, and help you identify the best practice approaches to DDoS defense for your environment.

4. Understand Your Infrastructure Components

When I spoke with several credit union executives about their state of DDoS preparedness, many reported that they would simply rely on their ISP to fix things. As Benjamin Franklin famously said, “Failing to prepare is preparing to fail.”

Don’t wait for an attack to learn the extent of your ISP’s defensive capabilities. It is essential that you proactively develop and document response plans with all of your online service providers.

A few things to document and understand about your ISP:

  • Do you have a calling tree and support numbers, contacts and account numbers readily available to you?  And, do you know where to find them if your site or network is down?
  • Do you understand your ISP’s options for defending against DDoS attacks?  Do they use black hole routes, upstream filtering or cloud-based mitigation?
  • What are the SLA’s within your contract with your ISP?

A key question that every credit union must also address is whether to depend on their ISP for DDoS protection, or to contract with a DDoS mitigation services provider.

While an ISP-based solution might seem to make sense, there are several factors to consider.  If your organization is multi-homed, all your ISPs would need to participate. Otherwise, bandwidth availability during attacks would be spotty. It is also difficult to coordinate an active mitigation between multiple ISPs. Does your organization want to be the one coordinating this response? If not, then selecting and experienced, third-party DDoS protection provider should be an essential part of your plan.

5. Implement general rules to help mitigate DDoS attacks

This step is one that your IT team should already have as part of their general operating procedures. If not, make it an immediate priority. The following are general rules to help defend against a DDoS attack. They should only be used as a guide, since they will not stop all attacks, especially some of the more complex varieties.

•          Turn off all unnecessary ports and protocols

•          Implement an IP blacklist

•          Block invalid and malformed packets

•          Configure and harden network equipment

Ongoing vulnerability assessments will help you to validate that you’ve properly configured and protected your environment against these ever-evolving threats.

6. Conduct a post-attack analysis after a DDoS attack

While it is crucial to have a plan in place to address a DDoS attack, it is equally important to perform a post-attack analysis. Some of the items to consider documenting an attack include:

  • Type of attack (Volume, Protocol, Application Layer)
  • What equipment helped you mitigate, even if it was only partially successful?
  • What attack traffic had the most impact and why?

This analysis will help you evaluate the effectiveness of your response plan, identify any holes in your documentation, and also help you determine whether or not you need to replace or upgrade infrastructure components. If you don’t have the budget for more resilient infrastructure, you may want to think about outsourcing to a security service provider.

7. Leverage monitored and managed services

Partnering with an experienced third-party DDoS mitigation provider has significant benefits.  Such providers have deep experience in dealing with DDoS attacks and offer a wide array of equipment and resources.  You can use their services on demand—for example, a DNS redirect service—or have them monitor your network 24/7 for signs of attacks.

Source: https://www.cuinsight.com/preparing-for-ddos-an-it-operations-perspective.html

A Denial of Service essentially happens when a hacker/attacker floods a target machine with malicious traffic until the time all its resources are utilised and exhausted resulting in the system going offline. Distributed denial of service is essentially the same, only that it enlists other machines/computers in the attack: the stakes, as they say, are much amplified here. Here’s a list of 8 major DDoS Attacks.

1.UDP Flood

A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol. Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will: check for the application listening at that port, see that no application listens at that port and reply with an ICMP Destination Unreachable packet.

2.Ping of Death

A ping of death is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A correctly formed ping message is typically 56 bytes in size, or 84 bytes when the Internet Protocol (IP) header is considered. Historically, many computer systems could not properly handle a ping packet larger than the maximum IPv4 packet size of 65535bytes. Larger packets could crash the target computer. In early implementations of TCP/IP, this bug was easy to exploit. This exploit affected a wide variety of systems, including Unix, Linux, Mac, Windows, printers, and routers.

3.Reflected / Spoofed attack

A distributed denial of service attack may involve sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target.

4.Nuke

A Nuke is an old denial-of-service attack against computer networks consisting of fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data, thus slowing down the affected computer until it comes to a complete stop.

5.Slowloris

Slowloris is a piece of software written by Robert “RSnake” Hansen which allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request.

6.Unintentional DDoS

This describes a situation where a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story.

7.Zero Day DDoS

General term used to describe vulnerabilities and exploits that are still new and haven’t been patched yet.

8.SYN Flood

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

Source: http://www.efytimes.com/e1/fullnews.asp?edid=137389

Creating a botnet to carry out Distributed Denial of Service attacks (DDoS), is simpler than many people realise. Recently, Incapsula reported an attack they uncovered that involved a profile image associated with comments on a webpage in order to get the user’s browser to carry out a DDoS attack on a target site.

The attacker first injected JavaScript code into the image tag associated with his profile image. He then made comments on the site – the infected image being used as an avatar. When other users navigated to the site, their browser automatically triggers the JavaScript code. When executed, the code creates a hidden iframe on the page, linking to the attackers Command and Control server (C&C), to establish target sites for the DDoS attack. The iframe then sends a GET requests to the target server to conduct the DDoS attack.

A DDoS attack requires a large number of GET requests sent over a short period. This attack reported by Incapsula, sent one GET request to the target site every second. The infected images were placed on a video download site – if unsuspecting users viewed a video for say 30 minutes – every second during that period a GET message was sent to the target site. By placing his infected image on a number of pages hosting different popular videos, the attacker caused 22,000 users to issue a total of 20 million GET requests.

Jeremiah Grossman and Matt Johansen from WhiteHat Security have shown that by bypassing the connection limits of the browser, it is possible for an attacker to scale up and increase the number of simultaneous connections and send out a higher rate of GET requests. They believe that it is possible to send up to 10,000 GET requests per minute from each browser that has been compromised.

These researchers have also shown that this attack can be easily launched through online advertisements. They calculate that it would cost around $500 advertising spend to infect and create a botnet of 1 million browsers. With each browser sending 10,000 GET requests per minute, it would be a most formidable DDoS attack.

When the browser navigates away from the page containing the infected JavaScript, the iframe and the code is automatically removed from the browser with no trace. No malware is left on the PC from this attack – it is a leave-no-trace attack.

In addition to using the botnet to launch a DDoS attack, it is also possible to use it for other purposes such as password hash cracking.

There is no browser-side patch for this attack. Browsers are designed to execute code in this manner. The use of an ad blocker will prevent your browser unwittingly joining a botnet through advertisements.

The ease with which a botnet such as described can be created, would indicate that we can expect this method to be used more often in the future in DDoS attacks.

Source: http://dwaterson.com/2014/04/14/method-to-create-a-botnet-and-carry-out-a-ddos-attack/

Man’s creation of money was shortly followed by man’s creation of money crime. In modern times, the financial industry’s latest nemesis is the Distributed Denial of Service attack (DDoS). As banks ramp up their protection technology, so too have hackers grown in opposing might.

The purpose behind a DDoS attack is to slow, or bring down a website. These attacks are executed by flooding a target server with bot-generated requests, packets, or data.  And who are these dark figures carrying out these cyber assaults? Hackers, either hired by business rivals or acting on their own.

These skilled computer experts usually aim to steal data, and disrupt the Internet ecosystem. Whether the impetus comes from financial, political, or personal motivations, hackers are reaping rewards for their deviant behavior with little fear of getting caught.

Get with the Financial Times

Financial institutions are particularly vulnerable to DDoS attacks. Although a strike on an unprotected online business can result in the loss of big money, most often they only cause minimal damage in terms of dollars and cents. DDoS is not designed to pilfer anything; those who inflict the attacks simply receive the benefit of hurting their competition. Rival companies often engineer attacks to damage their rivals’ reputation in the market, simultaneously boosting their own.

Hackers can now hit financial institutions, both large and small, at strengths thought impossible several years ago. BTC China, the third largest Bitcoin exchange in the world, received a DDoS attack last September that, at times, measured a substantial 100Gbps. The barrage lasted more than nine hours. Fortunately, BTC was prepared with DDoS protection services from Incapsula, one of the leading security protection agencies.

Incapsula identified the threat as a SYN flood, a method that involves exchanging unresolved packets with a target server. While not the most sophisticated attack at a hacker’s disposal, SYN floods —– especially of such sizes —– are deadly when not countered with careful filtering measures.

What is the cyber-protection industry doing to combat these threats? Igal Zeifman, of Incapsula, responded to our query with these three tips:

  • On edge mitigation – Effective DDoS mitigation requires you to block malicious requests before they reach the origin server. This process involves accepting and identifying requests outside of your core infrastructure. In BTC’s case, Incapsula was able to leverage the network capacity (currently above 550Gbps) with its reverse proxy setup.
    It filtered the traffic on edge, on its own network, between the attacker and their target. As a result, it allowed regular visitors to pass through without causing any service disruptions.
  • Transparency – When dealing with DDoS mitigation, one should always consider the alternative costs of mitigation and its impact on regular visitors.

With DDoS attacks lasting for days and weeks at a time, your DDoS protection strategy should be devised to cause minimal business disruption.  Simply put, if you response is to flash CAPTCHA’s and delay pages to all visitors, you are just doing the attackers’ work for them by causing a “self inflicted” disturbance of services.

  • Comprehensive protection – DDoS attacks come in different shape and sizes and not all of them can be countered by network brawn, because some will require security expertise and finesse. To be protected from Application Layer DDoS attacks, you should rely on a strategy that uses a combination of bot filtering methods, most of which should be absolutely transparent. The industry standard today is a combination of JS and Cookie based challenges but these are not enough, as we now encounter DDoS bots that pass both tests and still cause damage to an under-protected server.

In Summary

A strong reputation is critical in the online finance industry. Customers are particularly sensitive to abnormalities when their money is involved. Cyber security industry experts are predicting record high DDoS numbers in terms of size and duration for 2014. Research third-party security services that fit your needs for DDoS protection.’

Source: http://www.sitepronews.com/2014/04/11/security-specialists-discuss-ddos-protection-strategy-financial-site/