Why a massive DDoS attack on a blogger has internet experts worried

Someone on the internet seems very angry with cybersecurity blogger Brian Krebs.

On 20 September, Krebs’ website was hit with what experts say is the biggest Distributed Denial of Service (DDoS) attack in public internet history, knocking it offline for days with a furious 600 to 700 Gbps (Gigabits per second) traffic surge.

DDoS attacks are a simple way of overloading a network router or server with so much traffic that it stops responding to legitimate requests.

According to Akamai (which had the unenviable job of attempting to protect his site last week), the attack was twice the size of any DDoS event the firm had ever seen before, easily big enough to disrupt thousands of websites let alone one.

So why did someone expend time and money to attack a lone blogger in such a dramatic way? Krebs has his own theories, and the attack follows Krebs breaking a story about the hacking and subsequent takedown of kingpin DDoS site vDOS, but in truth nobody knows for certain and probably never will.

DDoS attacks, large and small, have become a routine fact of internet life.

Many attacks are quietly damped down by specialist firms who protect websites and internet services.

But the latest attack has experts worried all the same.

Stop what you’re doing

DDoS attacks first emerged as an issue on the public internet in the late 1990s, and since then have been getting larger, more complex and more targeted.

Early motivations tended towards spiteful mischief. A good example is the year 2000 attacks on websites including Yahoo, CNN and Amazon by ‘MafiaBoy’, who later turned out to be 15-year old Canadian youth Michael Calce. Within weeks, he was arrested.

Things stepped up a level in 2008 when hacktivist group Anonymous started an infamous series of DDoS attacks with one aimed at websites belonging to the Church of Scientology.

By then, professional cybercriminals were offering DDoS-for-hire ‘booter’ and ‘stresser’ services that could be rented out to unscrupulous organizations to attack rivals. Built from armies of ordinary PCs and servers that had quietly been turned into botnet ‘zombies’ using malware, attacks suddenly got larger.

This culminated in 2013 with a massive DDoS attack on a British spam-fighting organization called Spamhaus that was measured at a then eye-popping 300Gbps.

These days, DDoS is now often used in extortion attacks where cybercriminals threaten organizations with crippling attacks on their websites unless a ransom is paid. Many are inclined to pay up.

The Krebs effect

The discouraging aspect of the Krebs attack is that internet firms may have thought they were finally getting on top of DDoS at last using techniques that identify rogue traffic and more quickly cut off the botnets that fuel their packet storms.

The apparent ease with which the latest massive attack was summoned suggests otherwise.

In 2015, Naked Security alumnus and blogger Graham Cluley suffered a smaller DDoS attack on his site so Krebs is not alone. Weeks earlier, community site Mumsnet experienced a DDoS attack designed to distract security engineers as part of a cyberattack on the firm’s user database.

At the weekend, Google stepped in and opened its Project Shield umbrella over Krebs’ beleaguered site. Project Shield is a free service launched earlier in 2016 by Google, specifically to protect small websites such as Krebs’ from being silenced by DDoS attackers.

For now it looks like Google’s vast resources were enough to ward off the unprecedented attack, but it’s little comfort to know that nothing short of the internet’s biggest player was the shield that one simple news site needed.

With criminals apparently able to call up so much horsepower, the wizards of DDoS defence might yet have to rethink their plans – and fast.

Source: https://nakedsecurity.sophos.com/2016/09/29/why-a-massive-ddos-attack-on-a-blogger-has-internet-experts-worried/

  • 0

Web Host Hit by DDoS of Over 1Tbps

A French web hoster is claiming his firm has been hit by the biggest DDoS attack ever seen, powered by an IoT botnet with an estimated capacity of 1.5Tbps.

Octave Klaba, the founder and CTO of OVH, took to Twitter late last week to reveal his firm was under attack from a stream of DDoS blitzes creeping towards and eventually past the 1Tbps mark.

He claimed the botnet in question was initially comprised of around 145,000 internet-connected cameras and digital video recorders with an estimated 1-30Mbps capacity each – that’s a potential 1.5Tbps in total.

In further updates this week Klaba said the botnet had increased by first another 6857 devices and then 15,654 more.

The news follows reports last week that Akamai was forced to withdraw its pro bono DDoS protection of the KrebsOnSecurity site after it was allegedly hit by an attack measuring 665Gbps, then the largest on record.

Dave Larson, CTO and COO at Corero Network Security, claimed the recent attacks are beginning to change the way IT security professionals view DDoS.

“The internet is a powerful tool, and must be viewed with security and protection first and foremost,” he added. “Motivations for attacks, and the tools and devices used to execute the attacks, are readily available to just about anyone; combining this with almost complete anonymity creates a recipe to break the Internet.”

Roland Dobbins, principal engineer at Arbor Networks, argued that IoT botnets are increasingly favored by hackers because they frequently ship with insecure defaults, are often connected to high speed internet and are rarely patched to fix bugs.

“Embedded IoT devices are often low-interaction – end-users don’t spend much time directly interfacing with them, and so aren’t given any clues that they’re being exploited by threat actors to launch attacks,” he told Infosecurity.

“Organizations can defend against DDoS attacks by implementing best current practices for DDoS defense, including hardening their network infrastructure; ensuring they’ve complete visibility into all traffic from their networks; having sufficient DDoS mitigation capacity and capabilities either on premise or via cloud-based DDoS mitigation services or both; and by having a DDoS defense plan which is kept updated and is rehearsed on a regular basis.”

Source: http://www.infosecurity-magazine.com/news/web-host-hit-by-ddos-of-over-1tbps/

  • 0

Here’s how security cameras drove the world’s biggest DDoS attack ever

DDoS attacks are reaching monster levels that pose a massive threat

The record for the biggest DDoS attack ever seen has been broken once again, with an absolute monster of distributed denial of service firepower managing to almost reach the not-so-magic 1Tbps mark.

Technically this was actually two concurrent attacks, although the majority of the traffic was concentrated in one, which is the largest ever recorded single blast of DDoS.

As the Register reported, Octave Klaba, the founder and CTO of OVH.com, the French hosting company which suffered the attack, said that the assault consisted of two simultaneous barrages of 799Gbps and 191Gbps, for a total of 990Gbps.

The previous largest DDoS was the recent 620Gbps effort that hit ‘Krebs On Security’, the website of security researcher Brian Krebs, which was driven by the same botnet of some 150,000+ compromised Internet of Things devices, routers, DVRs and security cameras responsible for this latest volley.

Krebs said he was hit in retaliation to an article posted on his blog, although it isn’t clear why OVH.com came under fire.

Massive attacks

As Klaba said on Twitter, though, it’s hardly uncommon for his company to experience DDoS, and a tweet outlining the attacks suffered by the organisation over a period of four days this month showed 25 separate attacks which all exceeded 100Gbps (including the two mentioned here). Several others were simultaneous (or near-simultaneous) pairs of attacks, too.

He further noted that the botnet in question could potentially up its firepower by some 50% compared to the assault his company was hit by, tweeting: “This botnet with 145,607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS.”

Not only are DDoS attacks getting larger in size, but they are also becoming much more frequent according to a VeriSign report we saw back in the spring – this observed that the number of attacks had almost doubled in the final quarter of 2015, compared to the same period in the previous year.

Source: http://www.techradar.com/news/internet/here-s-how-security-cameras-drove-the-world-s-biggest-ddos-attack-ever-1329480

  • 0

OVH suffers 1.1Tbps DDoS attack

An internet hosting company has been the subject of a distributed denial of service attacks the likes of which the world has never seen

Hosting company OVH has been subject to the biggest attack DDoS known to date, with peaks of over 1 Tbps of traffic.

Over the past week, the company has been subjected to an attack greater than the one suffered by Krebs on Security.

The attack led to company founder and CTO Octave Klaba tweeting, “last days, we got lot of huge DDoS. Here, the list of ‘bigger that 100Gbps’ only. You can see the simultaneous DDoS are close to 1Tbps!”

Klaba also shared a screenshot of the multiple attacks on its infrastructure that when added together produced the 1Tbps directed at the company. The biggest single attack was documented at 799Gbps.

The OVH founder said that the attack had used IoT devices to mount the attack including hacked CCTV cameras and personal video recorders. “This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn,” he tweeted.

At the beginning of the month, OVNH confirmed that it was attacked by a 150Gbps DoS attack originating from Telefonica’s network.

Despite the eventual failure of the attack, its size raises questions about if it happened to a much smaller host.

Richard Meeus, technical director EMEA at NSFOCUS, told SCMagazineUK.com that “DDOS attacks have always been growing over the last 10 years and this leveraging of IoT devices is only going to exacerbate the issue.”

“Only a few years ago, the only devices in your home were your laptops, tablets and phones – now add smart fridges, thermostats, DVRs, security cameras and even light bulbs,” he said.

“This increase in devices, that are running cut-down versions of standard operating systems, are made to be very simple for anyone to use. Unfortunately, this often means trading security for instant out-of-the-box satisfaction and thus passwords are left at default or communication is left unencrypted. This means that hackers can gain access and load DDOS tools onto the devices, and you are now a member of a botnet.”

Craig Parkin, associate partner at Citihub Consulting, told SC that firms need to protect against all types of DDOS.

“The use here of compromised CCTV cameras is just another way of forming the botnet that does the attacking. It now looks like IoT devices are forming a larger part of the botnet,” he said.

“The use of CCTV cameras has exploded recently in the consumer market, whereas previously, these cameras might have been maintained and installed professionally as they are now on home networks sharing a physical network and likely remaining unpatched and directly exposed to the internet. It’s a problem that will only get worse.”

Source: http://www.scmagazineuk.com/ovh-suffers-11tbps-ddos-attack/article/524826/

  • 0

DDOS attacks: An old nemesis returns to cripple your network

Once considered a cybersecurity threat of the past, Distributed Denial of Service (DDoS) attacks have re-emerged with a vengeance. DDoS attacks are wreaking havoc on enterprises and end users with alarming frequency.

Distributed Denial of Service is a cyberattack where multiple systems are compromised, often joined with a Trojan, and used to target a single system to exhaust resources so that legitimate users are denied access to resources. Websites or other online resources become so overloaded with bogus traffic that they become unusable. A well-orchestrated DDoS carried out by automated bots or programs has the power to knock a website offline. These attacks can cripple even the most established and largest organisations. An e-commerce business can no longer conduct online transactions, jeopardising sales. Emergency response services can no longer respond, putting lives in danger.

According to the VeriSign Distributed Denial of Service Trends Report, DDoS activity increased by 85 percent in one year. The report also suggested that cyber attackers are beginning to hit targets repeatedly, with some organisations the target of DDoS attacks up to 16 times in just three months. If you think your organisation is obscure and can fly under the cyber attacker radar – forget it. Every industry is vulnerable.

If an increase in attacks isn’t troubling enough, the size and the amount of damage DDoS attacks can do is also disturbing. The fastest flood attack detected by Verisign occurred during the fourth quarter of 2015, targeting a telecommunications company by sending 125 million packets per second (Mpps), and driving a volumetric DDoS attack of 65 gigabits per second (Gbps). The end result – the site imploded and was temporarily knocked out of service.

Why DDos attacks are back in vogue

The reason why DDoS attacks are back is simple – it is relatively easy to launch a sustained attack and cripple any organisation connected to the Internet. Botnets, a group of computers connected for malicious purposes, can actually be acquired as a DDoS for hire service. The ability to acquire destructive assets demonstrates how easy it is for someone with little technical knowledge to attack any organisation.

DDoS attacks typically hit in three ways – Application Order, Volumetric, and Hybrid. Application orders cripple networks by potentially creating hundreds of thousands of connections at a time; volumetric attacks seek to overload a site with traffic; hybrid attacks can deliver the double whammy of knocking a business offline. The real danger of DDoS attacks is that they are often an end around. While technicians are pre-occupied with trying to get the website back up, attackers can often plant a backdoor in others areas of the network to eventually steal information.

How to prevent DDoS attacks

Prevention is nearly impossible, since there is no effective control of hackers in the outside world. A DDoS appliance protecting the Internet connection is the first line of defence. This will help to mitigate an attack. Appliances from vendors such as Fortinet or Radware are placed on customer premise as close to their Internet edge as possible. These devices can help to identify and block most DDoS traffic. However, this solution falls short with a DDoS attack that is attempting to flood Internet circuits. The only way to protect against this type of attack is to have a device at the service provider or in the cloud. A managed security services provider (MSSP) can offer on-demand services that are both cost effective and architected with a cloud focus in mind, in order to effectively protect against each type of attack.

A number of companies offer tools to analyse network traffic for signs of malicious activity, which can often weed out unwanted network connections. Infrastructure Access Control Lists (IACLs) can also be installed in routers and switches to detect suspicious traffic patterns and keep unwanted traffic off servers.

Many companies believe they can thwart attacks by hiding behind a firewall, but these general purpose tools are typically the first to fall. Firewalls offer some protection, but they can be easily hacked. Organisations expose themselves to attack when they use technology as a crutch. Winning the DDoS war requires organisations to look at their operations as a critical network and seek ways to defend it with talented individuals and technology that stay one step ahead of the attackers. A firewall is important but not a panacea.

The major drawback to do-it-yourself solutions is that they are reactive. Attackers can easily modify their methods and come at a business from disparate sources using different vectors. This keeps an organisation always in a defensive position, having to repeatedly deploy additional configurations, while simultaneously attempting to recover from any downtime events.

Many organisations have limited expertise and resource bandwidth to deal with the complexities of security and compliance. Managed security services providers with the ability to monitor, manage and protect control systems fill that cybersecurity gap. Detecting a DDoS attack requires specialised hardware capable of sending alerts via email or text. The goal is to report and respond to the incident before the attacker makes resources unavailable. An MSSP who employs both technology and on-site personnel can monitor and act as a full operations team.

If a DDoS attack is suspected, it is probably affecting the ISP as well. The security team should immediately contact the ISP to see if they can detect a DDoS attack and re-route traffic. Inquire whether any DDoS protective services are available, and consider a backup ISP as a contingency.

DDoS attacks will continue in the future due to the ease of execution. Companies must ensure they are prepared, constantly monitor the network, and have a game plan if an attack is under way. The daily headlines prove that no organisation is immune. With a little foresight it is possible to both thwart an attack and defend against future ones.

Source: http://www.itproportal.com/features/ddos-attacks-an-old-nemesis-returns-to-cripple-your-network/

  • 0

Hackers threaten First Securities with DDoS attacks

TAIPEI, Taiwan — First Securities (第一金證券) was blackmailed on Thursday by hackers who threatened to completely disable its trading system with DDoS (distributed denial-of-service) attacks.

The hackers asked the brokerage firm to pay 50 bitcoins (approximately NT$940,000), in an email that they sent to First Securities at around 10 a.m. on Thursday.

Local newspaper Apple Daily cited an unnamed source as saying that a DDoS attack came at around 11 a.m., stopping all electronic trades.

First Securities President Yeh Kuang-chang (葉光章) confirmed that they received the blackmail email but stressed that the firm’s trading system was only slowed down but not disabled by the attacks as reported. The firm has activated a reserve system and, while a small number of investors were affected by the attacks, the system was not paralyzed, Yeh said. He said he believed the situation would be resolved by Friday.

Yeh said the firm had reported the incident, which he said had caused no losses to the firm, to the authorities or to the investigation bureau.

Yeh also stressed that while the firm had yet to ascertain the origin of the hackers, he had preliminary ruled out the possibility that Thursday’s DDoS attacks were related to the ATM heist aimed at its sister institution — First Commercial Bank — in July. ATMs at 41 First Bank branches were hacked in the incident, with over NT$80 million believed to have been stolen. Seventeen suspects from six countries have been identified in the heist, which involved an international crime ring. The Taiwan Stock Exchange (TWSE) issued a statement at 6 p.m. saying that First Securities suffered from an unknown online attack beginning at 10:50 a.m. and was not able to immediately recover its electronic trading system. The TWSE advised investors to use other forms of trading.

TWSE Vice President Chien Lih-chung (簡立忠) said the TWSE had informed other securities firms and that no other firms had reported similar blackmail or system problems.

Source: http://www.chinapost.com.tw/taiwan/national/national-news/2016/09/23/479195/Hackers-threaten.htm

  • 0

Renowned blog KrebsOnSecurity hit with massive DDoS attack

The 620 Gbps DDoS attack was built on a massive botnet.

The security blog KrebsOnSecurity has been hit with one of the largest distributed denial of service (DDoS) attacks of all time.

The site, which is run by security expert Brian Krebs, was hit by a DDoS attack of around 620 Gbps on 20 September.

KrebsOnSecurity managed to stay online during the attack, due to defences from content delivery network provider Akamai.

The largest attack of this kind Akamai had previously defended was one of 336 Gbps earlier this year.

Previous large-scale DDoS attacks, including the 336 Gbps attack, used well-known methods to amplify a smaller attack such as using unmanaged DNS servers.

Apart from being much larger in terms of scale, the attack on KrebsOnSecurity also differed in that it seemed to instead use a very large botnet of hacked devices. This could have involved hundreds of thousands of systems.

“Someone has a botnet with capabilities we haven’t seen before,” Martin McKeay, Akamai’s senior security advocate, said to KrebsOnSecurity. “We looked at the traffic coming from the attacking systems, and they weren’t just from one region of the world or from a small subset of networks — they were everywhere.”

Brian Krebs said that there were some signs that the attack had used a botnet that had captured a large number of Internet of Things (IoT) devices.

During a DDoS attack, the targeted website is flooded with traffic, designed to overwhelm the resources of the site to crash or suspend its services.

“It seems likely that we can expect such monster attacks to soon become the new norm,” wrote Krebs.

He suggested that the attack on his site might have been in retaliation for a series he had done on the takedown of a DDoS-for-hire service vDOS, a theory supported by text included in the strings of the DDoS attack referencing the vDOS owners.

Source: http://www.cbronline.com/news/cybersecurity/business/renowned-blog-krebsonsecurity-hit-with-massive-ddos-attack-5012622

  • 0

Cybersecurity is threatening America’s military supremacy

The sparsely populated Spratly Islands, a collection of hundreds of islands and reefs spread over roughly 165,000 square miles in the South China Sea, are very quickly becoming the center of one of the most contentious international disputes between world powers since the fall of the Soviet Union.

Alarmingly, the use of cyber attacks in this dispute suggests we might already be in the midst of a new Cold War playing out in cyberspace — where America’s advantage is not as clear as it is with conventional armies and navies.

The Spratly Islands are of economic and strategic importance. All of the countries in the region — including China, Vietnam and the Philippines — have made competing territorial claims to the region. In recent years, China has become increasingly aggressive in its claim, rapidly building artificial islands while also conducting military operations in the area.

Beyond this conventional military build up, however, are complex and brazen cyber attacks by China that are leaving America and its allies increasingly concerned.

A massive distributed denial of service (DDoS) attack knocked offline at least 68 Philippine government websites in July, apparently in response to an international court ruling that denied China’s territorial claims in the region. Just days later, Vietnam’s national airline and major airports were targeted in a series of attacks by the Chinese hacking group 1937CN.

Those are just the latest examples of China’s years long cyber campaign related to the Spratly Islands. (In another attack, the website of the aforementioned international court was infected with malware and taken offline last year.)

While these “nuisance” attacks — and continued cyber espionage by China — are serious, targeted Chinese cyber attacks designed to impact America’s physical military systems in the South China Sea are the most substantial evidence that we may be on the brink of a more tangible cyber threat to American military power.

China appears to be moving forward with plans to use electronic attacks designed to either disrupt or take control of American drones. With reports that the Chinese attempted to interfere with U.S. military drones at least once in recent years, the country has shown a willingness to use GPS jamming to prevent U.S. aircraft from conducting surveillance missions in the Spratly Islands.

That 2015 instance appears to fit China’s public posturing on the ways it says it could use electronic GPS jamming to disrupt U.S. drone networks. One 2013 report in the Chinese journal Aerospace Electronic Warfare notes in technical detail how its military can “use network warfare to attack and even control America’s network” by disrupting the connection between satellites and aircraft.

This sort of GPS jamming could be the largest electronic threat to the U.S. drone program. In fact, it has been widely speculated that Iran used a similar GPS “spoofing” technique to take control of a U.S. surveillance drone in 2011.

The American military says it is preparing for these sorts of attacks with its new cyber strategy released last year. In addition to outlining how cyber will be included in military planning, the report calls for a hardening of the military’s cyber defenses to prevent the theft of military technology or cyber attacks against military infrastructure and weaponry.

  • 0

Blizzard’s Battle.net Servers Knocked Offline By Another DDoS Attack

Blizzard Entertainment became a victim of yet another distributed denial-of-service (DDoS) attack as its Battle.net servers were knocked down on Sunday, Sept. 18.

The DDoS attack that rendered Battle.net’s servers offline was waged by hacking group PoodleCorp.

Owing to the attack, Battle.net, which runs several popular games such as World of WarcraftHearthstone: Heroes of Warcraft and Overwatch to name a few, was left handicapped even as angry users took to social media to vent their ire.

Gamers on PC, PlayStation 4 and Xbox One were all affected by the outage. Blizzard Entertainment acknowledged the situation on its official Twitter account.

“We are currently monitoring a DDOS attack against network providers which is affecting latency/connections to our games,” wrote Blizzard in a tweet.

The DDoS attack on Battle.net lasted for half an hour after PoodleCorp took to Twitter to state that it would halt the attack and restore the servers if the tweet below was retweeted 2,000 times.

The blackmail (ransom note?) found favor with a majority of gamers as they were only too willing to retweet to have access again to the games they were playing. As promised, PoodleCorp stopped the attack once the 2,000 retweet milestone was reached. This is not the first time Blizzard Entertainment has come under the mercy of PoodleCorp.

Earlier in August, we reported that it was hit with a PoodleCorp DDoS attack, which disrupted gameplay for users of Battle.net until network engineers addressed the issue. Back then however, the hacking group did not ask for retweets.

Blizzard Entertainment has been the victim of a spate of DDoS attacks in the past few months. In June, an attack took down its servers as well. The outage was attributed to Lizard Squad member AppleJ4ck, who claimed responsibility and cautioned that the hack was a small part of some “preparations.”

Aside from the DDoS attack, Blizzard has been having a terrible week anyway. On Sept. 14, 16 and 18, the company suffered from technical issues that prevented or delayed users from logging in and joining the game servers. However, for now, Blizzard Entertainment can breathe easy as the technical problems Battle.net was encountering owing to the DDoS attack from PoodleCorp have been resolved.

Source: http://www.techtimes.com/articles/178300/20160919/blizzards-battle-net-servers-knocked-offline-by-another-ddos-attack.htm


  • 0

DDoS always knocks twice

If you were DDoSed once, you will be DDoSed again, that is for sure.

A company is rarely attacked by a DDoS (distributed denial of service) just once. If it happens once, it will probably happen again, which is why constant preventive measures are required, if a company wants to keep their online services operational.

These are the results of a new report by Kaspersky Lab. Entitled Corporate IT Security Risks 2016, it says that one in six companies were victims of DDoS attacks in the past 12 months. The majority of those attacks were aimed against construction, IT and telecommunications companies. Almost four out of five (79 per cent) reported more than one attack, and almost half reported being attacked four times, or more. The length of these attacks is also an issue. Just above a third (39 per cent) are considered ‘short-lived’, while more than a fifth (21 per cent) lasted ‘several days’ or even ‘weeks’.

Companies are usually the last to know they’re being attacked, too, with 27 per cent being informed by their customers, and in 46 per cent of cases by their third-party audit organisation. Kaspersky Lab says this is not unusual, as cyber-attackers usually go for customer portals (40 per cent), communication services (40 per cent) and websites (39 per cent).

“It’s dangerous to view DDoS attacks as some rare occurrence that a company may encounter once, by accident, and with minimal damage. As a rule, if an attack is successful, the criminals will use this tool against a company over and over again, blocking its resources for prolonged periods of time. Unfortunately, even a single attack can inflict large financial and reputational losses and, considering the likelihood of a repeat attack is almost 80 per cent, you can multiply these losses two, three or more times. For a modern company, an anti-DDoS solution is just as necessary as the basic protection against malware and phishing,” says Alexey Kiselev, Project Manager on the Kaspersky DDoS Protection team.

Source: http://www.itproportal.com/news/ddos-always-knocks-twice/

  • 0