dos Archives - IT Security Guru

The Three Little Pigs and the Big Bad Botnet

The Gurus — Mon, 16 May 2016 08:38:32 +0000

I’ll huff and I’ll puff and I’ll…bring your web application offline!
The possibility of a business being targeted by some huge zombie army, or botnet, is enough to send shivers down the spine of many seasoned security veterans. Modern botnets are of vast size and power, with more sophisticated features and capabilities than ever before. Modern botnet attacks can be very precise and controlled, being pulsed and sent in different ways to make the attackers impossible to trace and the impact that much more damaging. So who is behind these botnets, what can we expect to see in the future and how can organisations put their fears to bed and defend themselves effectively from them?
Botnets have transformed the DDoS landscape. Once, attacks were the preserve of a small, technical elite who had enough coding skills to launch a strike. But now, DDoS-for-hire botnets have significantly lowered the barriers to entry. A quick Google search and a PayPal account makes botnets readily available for just a few dozen dollars, with no coding experience necessary. And they are becoming increasingly popular – DDoS-for-hire botnets are now estimated to be behind as many as 40 per cent of all network layer attacks.
But while the majority of purchasers are likely to be low-level attackers, seeking to cause mischief and settle personal grievances, more powerful botnets-for-hire are also being utilised by state actors and organised crime syndicates. In recent years, DDoS attacks have been getting bigger and bigger. Our Security Operations Centre recorded a dramatic (25%) increase in very large attacks of more than 10Gb per second among our customer base in the second half of last year. And in terms of individual attacks, the strike on the BBC in January was one of the biggest ever reported, at an enormous 600Gb per second. While these attacks clearly cause significant damage, we believe that their primary purpose is often just to demonstrate their attackers’ capabilities so that they can be sold as a service in the future. The kind of gigantic attacks that make headlines aren’t cheap to rent, and would probably cost upwards of $150,000 to engage. As a result, these are only likely to be utilised by criminal or nation state attackers, who have access to a sophisticated infrastructure with money laundering capabilities.
Looking forward, there is really no limit to the potential size and scale of future botnet-driven DDoS attacks, particularly when they harness the full range of smart devices incorporated into our Internet of Things. By using amplification techniques on the millions of very high bandwidth density devices currently accessible, such as baby video monitors and security cameras, DDoS attacks are set to become even more colossal in scale. Terabit -class attacks may be increasingly common and ‘breaking the Internet’ – or at least clogging it in certain regions – could soon become a reality. The bottom line is that attacks of this size can take virtually any company offline, and are a reality that anyone with an online presence must be prepared to defend against..
But it isn’t just the giant attacks that organisations need to worry about. Before botnets are mobilised, hackers need to make sure that their techniques are going to work. This is usually done through the use of small, sub-saturating attacks which most IT teams wouldn’t even recognise as a DDoS attack. Due to their size – the majority are less than five minutes in duration and under 1Gbps – these shorter attacks typically evade detection by most legacy out-of-band DDoS mitigation tools, which are generally configured with detection thresholds that ignore this level of activity. This allows hackers to perfect their methods under the radar, leaving security teams blindsided by subsequent attacks. If these techniques are then deployed at full scale with a botnet, the results can be devastating.
Besides harnessing enormous power, botnets are also notoriously difficult to spot. Once deployed, they utilise sophisticated techniques to hide their tracks. Their command and control infrastructure can be automated or set on autopilot, they can sleep for long periods of time, they can have ubiquitous bandwidth available at any time of day by waking up different regions at different times – they are a complex and vast maze, often operated by some of the brightest minds in cybercrime. But that’s no reason for organisations to resign themselves to eventually getting attacked. So what are the most effective methods of defence?
The old way was to use a cloud-based scrubbing centre, where the security team can divert traffic for analysis and filtering when they see a DDoS attack. But asking a human to monitor the edge of the network and intervene when they think they’ve spotted a DDoS attack is very labour intensive and won’t react fast enough to the automated attacks of today. Furthermore this won’t apprehend the sub-saturation attacks that experiment on your networks undetected, finding vulnerabilities and testing new methods.
So a proper modern method is one that’s always on, deployed in-line and doesn’t require human intervention in order to maintain clean traffic. The technology, whilst relatively new, is available on premises and from upstream prviders, so there are options open to most organisations no matter their size, budget and likelihood of being targeted. It also frees up your manpower to focus on preventing data exfiltration and other malicious activity taking place, making your staff much mroe productive.
So there you have it – maybe the three little pigs don’t need to worry about the big bad botnet after all! There’s methods on offer to help you build your proverbial “house” (security infrastructure) out of bricks and mitigate the most serious botnet-driven DDoS attacks on their networks.
Dave Larson is Chief Operating Officer at Corero Network Security. To find out more about Corero, head over to their website or follow them on twitter.

The post The Three Little Pigs and the Big Bad Botnet appeared first on IT Security Guru.

Notorious pro-US hacker Jester diverts DoS attack towards Israeli spy service Mossad

The Gurus — Mon, 04 Apr 2016 11:01:49 +0000

A high-profile US hacker has turned an attack on his website into an assault against the Israeli intelligence service. ‘The Jester’ – or th3j35t3r – claims that he diverted an attempt to overload his website to assault Mossad’s online presence. Haaretz reported that Jester’s website – jesterscourt.cc – was the victim of a denial of service (DoS) attack on the night of 1 April. In a tweet, Jester announced that he had diverted the hacker’s attack by simply changing the IP address his website was registered on.
Original Source: International Business Times
View the full story here

The post Notorious pro-US hacker Jester diverts DoS attack towards Israeli spy service Mossad appeared first on IT Security Guru.

What's a Russian DDoS Booter Making for its Proprietors?

The Gurus — Thu, 03 Mar 2016 15:58:16 +0000

At the end of 2014, ASERT presented research where we mapped some DDoS booter advertisements on Russian language forums to their behind-the-scenes DDoS botnet infrastructures. For this post, we will follow up on that research a bit by looking at another one of these mappings and trying to estimate the revenue generated by the DDoS service.
It Starts With an Advertisement
In this marketplace, it almost always starts with an advertisement for a DDoS booter service on one of the many public Russian language forums. In this case study, a threat actor known as “Forceful” runs the service. Searching for their ICQ number and/or Jabber address returns a number of advertisements starting circa November 2014. Here is an example advertisement (Google translated):

These types of ads typically contain:

A fancy logo, banner, or motto
Short explanation of what DDoS is
Type of DDoS attacks they support
Pricing
Reputation information
Contact details

Then Pivots on an OPSEC Mistake
What these ads usually don’t contain, however, are the command and control (C2) details of their botnets used to carry out the purchased DDoS attacks. Making the jump from ad to botnet usually requires the threat actor making a public operational security (OPSEC) mistake. These mistakes come in a number of flavors and this was one of Forceful’s:

The actor was participating in a forum discussion about a crypter–a tool used to encrypt/obfuscate malware executables to help evade antivirus detection and hinder analysis. As with the other participants in the thread, Forceful posted a screenshot of the results of a virus scanning service to test how effective the crypter was on a malware sample. At the bottom of the screenshot, it lists the following hashes of the crypted executable:

cf87f70901a1f16015bd10c289e8c3ed (MD5)
d361e3ddfc4e6f03ed7bad5586934854478708a5 (SHA1)
Compilation Date: 2015-09-19 12:39:43

Forceful’s mistake was that instead of deleting the test executable, it was distributed into the wild. Once released, it was picked up by ASERT’s malware zoo and others.
The Malware
This malware’s C2 domain is “kypitest[.]ru” and its phone home looks like:

The HTTP request exhibits telltale signs of the G-Bot DDoS bot. Visiting the bot’s C2 panel confirms this suspicion:

The following sample is also related:

7ab6d627c7149ec88909a90bd64ce6e1 (MD5)
SHA1: 4fab28b1bbce94f077861ca2d9d8299b005fa961 (SHA1)
Compilation Date: 2015-07-02 12:57:16

The Attacks
ASERT keeps tabs on DDoS botnets and their attack activity with our BladeRunnerbotnet monitoring system and kypitest[.]ru is no exception. The first attack we logged for this botnet was on July 9, 2015 and there’s been steady activity since:

At the time of this writing, attacks have been observed on 108 unique target hosts/IPs in the following countries:

Attacks can be categorized into the following types:

A Second OPSEC Mistake Helps Corroborate
While a self identified DDoS threat actor posting an MD5 hash of a known DDoS malware feels like a solid link between a DDoS-as-a-service advertisement and a DDoS botnet; a second OPSEC mistake by the threat actor has helped strengthen their association with kypitest[.]ru. On November 11, 2015 Forceful started a forum thread (including ICQ instant messaging logs) complaining that another forum (tophope[.].ru) had unfairly deleted their DDoS advertisement:

The Google translation of the thread wasn’t great, but a colleague fluent in Russian provided helpful translations of some of the more interesting parts:

So, I’ve decided to bring up my old thread [link] today and found out that it was deleted without any notification. Tried to contact someone in chat – no response, tried to contact admin guy “Nerom” – no response either. Well, I’ve decided to “charge” their forum for 1-2 hours, just to test. In the couple minutes angry admin contacts me
…
Nerom: You disclosed yourself
Nerom: I’ll get to the police department today
Nerom: to make a statement about it
555762555: Well, you wanted a test
555762555: how this is not a test?
Nerom: Well, the test wasn’t valid
Nerom: You attacking the server without protection
…
Nerom: I’ve made a statement
Nerom: your IP is being checked
Nerom: someone will pay you a visit tomorrow

Two days later, on November 11, 2015, BladeRunner observed the following:

This is a multi-pronged DDoS attack ordered by the kypitest[.]ru C2 on the above referenced forum and its hosting IP address.
The Estimation
Before running the numbers, let’s take a look at a specific attack. Starting on August 8, 2015 at around 08:47 an “.httpflood” attack was launched against a crypto currency mining pool. The attack continued for two days and about 21 hours until August 11, 2015 at around 06:07. Per an August 8th post to the mining pool’s Reddit, it looks as if this attack was unfortunately successful:

The threat actor’s pricing is available in the DDoS booter ad:

Daily – $60
Weekly – $400
10% discount on orders of $500
15% discount on orders of $1000

An hourly price isn’t specified in the ad, so a price of $2.50 ($60/24 hours = $2.50) is used here. With these prices, the estimated revenue generated by the above attack was:

2 days x $60 + 21 hours x $2.50 = $172.50 (rounded to $173)

Using this methodology on the other observed attacks, the following estimations were made:

BladeRunner polls botnets about once an hour, so attack durations of less than one hour are not as precise. In addition, per Forceful’s ad they offer a free 5-10 minute test, so it is feasible that many of these entries are quick tests. For these two reasons they are not counted towards revenue estimation.
Related domains and IPs in the same timeframe were grouped together in the same attack. Attacks highlighted in yellow are on the same target, but were performed multiple days apart.
In the end, the total estimated revenue for the 82 attacks from July 9, 2015 to October 18, 2015 was $5,408. The mean estimated revenue per attack was $66 and the mean estimated revenue per day was $54.
Conclusion
As we see in Arbor’s most recent Worldwide Infrastructure Security Report (WISR), the average cost to the victim of a DDoS attack is around $500 per minute. And as we’ve seen above, the mean cost to the attacker is only $66 per attack. This finding highlights both the extreme asymmetry of the economics of DDoS attackers vs. those of the victims of DDoS attacks, as well as the importance of robust DDoS defenses to all organizations which depend upon their online presence for revenue, customer support, and other important business functions. The cost to launch a DDoS attack is so low that the barrier to entry for attackers is practically nil – and that means that *any* organization can potentially be the target of a DDoS attack, since the investment required to launch an attack is so low.
Additionally, it’s important to understand that the economics of the booter/stresser operator are extremely favorable. The booter/stresser operator is leveraging PCs, servers, and IoT devices such as home broadband routers to set up a DDoS-as-a-service enterprise with zero infrastructure and bandwidth costs, because the booter/stresser service is clandestinely and illegally leveraging infrastructure and connectivity which belongs to others; the booter/stresser operator doesn’t pay taxes on the illicit proceeds of the service; and hundreds or even thousands of attackers can simultaneously utilize the booter/stresser service to launch DDoS attacks, thus boosting the tax-free/cost-free revenues of the service considerably.

The post What's a Russian DDoS Booter Making for its Proprietors? appeared first on IT Security Guru.

BTCC Bitcoin Trader Blackmailed with DDoS Attacks

The Gurus — Mon, 04 Jan 2016 09:57:04 +0000

BTCC is the latest victim of the Bitcoin-for-DDoS extortion scheme, but unfortunately for the attacker, the company was financially capable of implementing better DDoS protection measures and make the attacker go away.

The first DDoS attack took place on December 31, as Crypto Currency News reports, and seemed to be quite small in capacity. As soon as the attack ended, the company, a well-known Bitcoin trader, received a ransom email from the (currently unknown) attacker.

The email warned the company of more DDoS attacks unless they’d pay a ransom of 1 Bitcoin (around $425). On January 1, the attacker continued its assault, launching a 10 Gbps attack.

Original source: Softpedia

View the full story here

The post BTCC Bitcoin Trader Blackmailed with DDoS Attacks appeared first on IT Security Guru.

BBC, Trump web attacks "just the start," says hacktivist group

The Gurus — Mon, 04 Jan 2016 09:49:02 +0000

The group that claimed responsibility for taking down the BBC’s global website last week has said the attack was “just the start.”
On Saturday, a group calling itself New World Hacking also claimed responsibility for an attack that downed Republican presidential candidate Donald Trump’s campaign website for about an hour.
The cause of the attack was a massive distributed denial-of-service (DDoS) attack, which relies on pummeling a web server with so much traffic that it crumbles under the weight and stops responding.
DDoS attacks are widely used, and simple to carry out, often by online groups with the aim of bringing down websites for extended periods.

Original source: ZDNet
View the full story here

The post BBC, Trump web attacks "just the start," says hacktivist group appeared first on IT Security Guru.

ITSG News: Thai Government DDoSed by Citizens

The Gurus — Thu, 01 Oct 2015 11:53:56 +0000

In today’s news: Cyber criminals have once again targeted nations states, this time with the Thai government as the victim.
News outlets are reporting this morning that several Thai government websites we hit by a suspected DDoS attack around 3pm GMT, or 10pm local time, yesterday. Websites were impossible to access for several hours, with the government restoring access by Thursday morning.
Unlike ordinary DDoS attacks that are usually orchestrated by a particular program or bot, Thai citizens were encouraged via social media on Wednesday to visit several government websites and continually refresh them, forcing an overload of visitors and the websites to crash. Top targets included the ministry of information, communications and technology, and the main government websites.
Although the motives of the attack have yet to be confirmed, it is suspected the attack was a protest against the Thai government’s plan to limit access to websites deemed inappropriate.
Nicknamed “The Great Firewall of Thailand”, tens of thousands of people have signed a petition opposing the proposal, a name that references the Great Firewall of China, referring to the Chinese government’s well established censorship over the internet. The Thai military government has increased censorship, blocked websites and criminally charged citizens over comments made online since seizing power midway through last year.
The attack comes not long after the OPM breach in the US in July, showing that governments are becoming an increasingly popular target for attacks, whether it be state on state, or what appears to be the case for this particular hack, individual protests.
More IT security news at www.itsecurityguru.org

The post ITSG News: Thai Government DDoSed by Citizens appeared first on IT Security Guru.

Mobile advertising DDoS JavaScript drip serves site with 4.5 billion hits

The Gurus — Mon, 28 Sep 2015 08:50:11 +0000

CloudFlare has turned up an unusual form of denial-of-service attack: mobile advertisements that are pumping out around 275,000 HTTP requests per second.
The cloud outfit didn’t name the victim, but said the Layer 7 HTTP floods hitting the target is the latest example of a once-theoretical attack turning up in the real world.
London CloudFlare engineer Marek Majkowski says the difficulty in turning HTTP floods into a real attack was overcome using malicious JavaScript in an advertisement.
“Browser-based L7 floods have been rumored as a theoretical threat for a long time,” Majkowski says.
“It seems the biggest difficulty is not in creating the JavaScript — it is in effectively distributing it.
“Since an efficient distribution vector is crucial in issuing large floods, up until now I haven’t seen many sizable browser-based floods.”
CloudFlare copped 4.5 billion requests in a day of attacks against a customer domain, originating from around 650 thousand unique IPs addresses.
Virtually all traffic came from mobile devices in China.

view the full story here

The post Mobile advertising DDoS JavaScript drip serves site with 4.5 billion hits appeared first on IT Security Guru.

Kremlin hit by "very powerful" DDoS attack

The Gurus — Fri, 18 Sep 2015 11:14:50 +0000

The Kremlin has reportedly been hit by what they have described as a “very powerful” distributed denial of service attack – also known as a DDoS attack. The attack is reported to have targeted the nation’s electoral commission.
A similar attack was made on Sunday, which targeted the official website of Russian president, Vladimir Putin.
As many as 50,000 requests per minute were made in the attacks, according to Vladimir Churov, chairman of Russia’s electoral commission. Churov also announced that the attack was based in the United States, saying that a company in San Francisco has already been identified as the source of the attack.
DDoS attacks work by flooding a network with requests, resultantly bringing applications or websites down as they are unable to cope with the heavy traffic. Additionally, experts such as Dave Larson, CTO at Corero Network Security, have said in the past that DDoS attacks can mask other nefarious activities such as network profiling, aiding hackers in their next attack.
more IT security news at www.itsecurityguru.org

The post Kremlin hit by "very powerful" DDoS attack appeared first on IT Security Guru.

NCA Website Brought Down by Lizard Squad

The Gurus — Wed, 02 Sep 2015 15:18:14 +0000

The NCA website was taken down by the notorious hacking group, Lizard Squad.
The National Crime Agency, or NCA, is a UK body tasked with apprehending organised crime, having replaced the serious organised crime agency in 2013. The attack has come as an act of retaliation for the arrest of 6 people for using lizard squad’s DDoS tool by the NCA.
While a DDoS may not cause long term instability for the agency, the fact that it was caught unprepared and taken down has sent a wave of surprise across the internet community.
An NCA spokesperson was quick to denounce the attacks and downplay the impact of the attack, saying that the operational capability of the NCA was not harmed by the attack and caused nothing more than a ‘temporary inconvenience’.
However there are experts warning that DDoS attacks are far more than just a trickster taking down a website for a little while. Dave Larson, CTO at Corero Network Security has stated that DDoS attacks are not always what they seem. Namely, a DDoS can act as a smokescreen diversion which allows hackers to run additional attacks aimed at breaching sensitive data and further impacting operations. Some experts say that Denial of service attacks can also be labelled as a denial of security – namely, while the attack is in place, security measures can’t cope anymore and hackers can venture inside the network.
With this in mind, Lizard Squad’s actions today could preclude a larger attack in the future – only time will tell.

The post NCA Website Brought Down by Lizard Squad appeared first on IT Security Guru.

BitTorrent kills bug that turns networks into a website-slaying weapon

The Gurus — Fri, 28 Aug 2015 08:39:25 +0000

BitTorrent has fixed a flaw in its technology that quietly turns file-sharing networks into weapons capable of blasting websites and other internet servers offline.
The San Francisco company said Thursday the patch for its libuTP software will stop miscreants from abusing the peer-to-peer protocol to launch distributed reflective denial-of-service (DRDoS) attacks.
LibuTP is an essential building block for BitTorrent apps, such as Vuze, uTorrent, Transmission and the BitTorrent’s own client software. These applications must be updated to include the fix, and installed by netizens to fully kill off the DRDoS vulnerability. uTorrent version 3.4.4 40911, BitTorrent version 7.9.5 40912, and BitTorrent Sync version 2.1.3, were all patched up earlier this month.

view the full story here

The post BitTorrent kills bug that turns networks into a website-slaying weapon appeared first on IT Security Guru.