CyberInsecure.com

Archive for the ‘DDoS’ Category

Unidentified cyber criminals have launched a denial of service attack on a UK-based anti-fraud website. The popular anti-fraud site Bobbear.co.uk is currently under a DDoS attack (distributed denial of service attack) that is continuing to hit the site with 3/4 million hits daily from hundreds of thousands of malware infected hosts mostly based in Asia and Eastern Europe, according to the site’s owner.

Bobbear.co.uk, which fights money laundering by warning about groups attempting to recruit mules, was left unreachable on Monday after coming under a distributed denial of service attack. Net security firm Sophos reports that the site was taken out by an assault from a botnet of compromised PCs that began late on Sunday. The timing of the assault coincides with the launch of Get Safe Online week in the UK.

According to site admin Bob Harrison, “Undoubtedly it is simply a response to the work I do in highlighting the mainly Russian money laundering and reshipping frauds that are currently plaguing the internet and wrecking the lives of innumerable victims.” Harrison has reported the attack to the Met’s computer crime unit and to Russian domains linked to the assault.

It’s not the first time the site has come under fire from cybercrooks. In October 2007 a spam campaign sought to discredit Bobbear by bombarding all and sundry with supposed begging requests. In reality the “Joe Job” junk mail messages, asking for donations through online payment service e-Gold, were nothing to do with site administrator Bob Harrison or Bobbear.co.uk. UK hosts Fasthosts unwittingly aided fraudsters by temporarily suspending the Bobbear.co.uk domain in response to complaints about the fraudulent emails.

Targeted DDoS attacks against anti-fraud and volunteer cybercrime fighting communities clearly indicate the impact these communities have on the revenue stream of scammers, and with Bobbear attracting such a high profile underground attention, the site is probably doing a very good job.

The British Broadcasting Corporation (bbc.co.uk) was hit by a DDoS attack on Thursday, according to a statement sent to the Inquirer. The BBC said the attack originated in a number of different countries but didn’t specify which. When the BBC techies blocked international access to a limited subset of servers, it resulted in a marked improvement of the serving of bbc.co.uk. Service supplier Siemens was forced to block addresses and prevent the attack using other methods like changing the DNS settings.

The attack appears to have lasted for 1 hour and 15 minutes, which is the longest time the site has been offline during the entire 2008, was also confirmed by the distributed uptime monitoring company Pingdom earlier today. During the attack, the BBC website responded very slowly, and our monitoring shows that for a total of 1 hour and 15 minutes it did not respond at all. The downtime was spread over multiple short intervals, lasting just a few minutes each time. The attack lasted the entire evening. It started to have an effect after 5 p.m. CET and the performance was not back to normal until after 10 p.m. CET. Analyzing the response times of the website clearly shows the effect the DDoS attack had on the performance of the BBC website.

With the lack of specific details regarding the DDoS attack provided by the BBC, the reason for this attack is unclear.

Norbits, the largest Norwegian BitTorrent tracker is going through some rough times. For several days now, the site has been offline due to a DDoS attack. The site has allegedly been hacked by a group called MORRADi, which is also speculating that it has managed to compromise the tracker and is threatening to release personal details of its users including IPs, until the tracker is closed.

Norbits is a medium sized community with over 10,000 members, most of them from Norway. Norbits has suffered downtime because of DDoS attacks before, but this time the threat may be more serious than that.

A group called MORRADi takes responsibility for the attack on Norbits. A message released by the groups says (translated): “Once again we show our power! Once again we show your foolishness! This is not the first time we have done it, and it won’t be the last. Enough is enough, you are becoming a real nuisance, and you are also a bunch of idiots that try to hide, so it’s high time we punish you! P2P is not something we want, when will you understand that? Do we have to take it as far as publishing your user database online?”

The message seems to suggest that “sceners” are behind the hack and the attacks, since they don’t want their releases shared on BitTorrent trackers.

This is the second time the tracker has been under a DDoS attack for the past two years, and no matter how futile the ambitions of the attackers are in respect to targeting the tracker due to the fact that it’s promoting the use of P2P, the success of Norbits seems to have already pissed off the local warez scene.

Further investigation indicates a conflict of interest on the Norwegian warez scene, with old school FTP warez groups. The attack is very similar to an apparently still active campaign courtesy of old school warez traders, named “Destroying The P2P’s, One Step at a Time”, whose objective is to expose the owners of BitTorrent trackers, compromise their security and leak personally identifiable information of its users in order to damage their reputations.

DDoS attacks are not an unusual event for many private BitTorrent trackers. Although they are sometimes used as an excuse for server issues, most of the larger trackers have been subject to such attacks at least once.

Conflict between Georgia and Russia on the ground has been accompanied by the relaunch of cyber-attacks against Georgian government websites. The Georgian presidential (www.president.gov.ge) and other government websites (such as www.parliament.ge) were left inaccessible by assaults over the weekend, in a repeat of attacks in late July before tensions over the breakaway region of South Ossetia spilled over into armed conflict.

After a week of discussions on Russian Internet forums, a coordinated cyber attack has been launched against Georgia’s Internet infrastructure. The attacks have already managed to compromise several government web sites, with continuing DDoS attacks against numerous other Georgian government sites, forcing the government to switch to hosting locations in U.S: Georgia’s Ministry of Foreign Affairs moved to a Blogspot account.

The DDoS attack appears to be using a Russian malware variant from the Pinch family and a command and control server based in Turkey. Nationalist articles in Russian language papers are apparently inspiring Russia’s digital underground to get involved in assaults on Georgia’s web-facing systems.

Unconfirmed reports claim the notorious RBN (Russian Business Network) are behind the attacks and that Georgian internet servers were owned by foreign attackers on Thursday - the day before Russian tanks rolled into South Ossetia. The peak of DDoS attack and the actual defacements started taking place as of Friday. Several Georgian state computer servers have been under external control since shortly before Russia’s armed intervention into the state commenced on Friday, leaving its online presence in disarray. While the official website of Mikheil Saakashvili, the Georgian President, has become available again, the central government site, as well as the homepages for the Ministry of Foreign Affairs and Ministry of Defence, remain down. Some commercial websites have also been hijacked.

The Georgian Government said that the disruption was caused by attacks carried out by Russia as part of the ongoing conflict between the two states over the Georgian province of South Ossetia. In a statement released via a replacement website built on Google’s blog-hosting service, the Georgian Ministry of Foreign Affairs said that a cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Ministry of Foreign Affairs.

The DDoS attacks are so sustained that Georgian President’s web site has recently moved to Atlanta. The original servers located in the country of Georgia were “flooded and blocked by Russians” over the weekend, Nino Doijashvili, chief executive of Atlanta-based hosting company Tulip Systems Inc., said Monday. The Georgian-born Doijashvili happened to be on vacation in Georgia when fighting broke out on Friday. She cold-called the government to offer her help and transferred president.gov.ge and rustavi2.com, the Web site of a prominent Georgian TV station, to her company’s servers Saturday.

More defacements of news sites and popular Georgian portals started taking place as well. Two news websites run by breakaway South Ossetia were hacked on Tuesday morning, officials from the secessionist authorities said. The front page of the website of the news agency, OSinform - osinform.ru - which is run by the breakaway region’s state radio and television station IR - retained the agency’s header and logo, but otherwise the entire page was featuring Alania TV’s website content, including its news and images. Alania TV is supported by the Georgian government, and targets audiences in the breakaway region. Another website of the breakaway region’s radio and television station, osradio.ru, was also hacked. Alania TV has denied any involvement, saying it was itself surprised to see its content on the rival news agency’s website.

Shortly after Civil.ge ran the story, it came under DDoS attack, and just like Georgia’s Ministry of Foreign Affairs it switched to a Blogger account in case the site remained unavailable. Moreover, the Shadowserver posted more details on the command and control servers used in the DDoS attacks:

With the recent events in Georgia, we are now seeing new attacks against .ge sites. www.parliament.ge & president.gov.ge are currently being hit with http floods. In this case, the C&C server involved is at IP address 79.135.167.22 which is located in Turkey. We are also observing this C&C as directing attacks against www.skandaly .ru. Traffic from your network to this IP or domain name of googlecomaolcomyahoocomaboutcom .net may indicate compromise and participation in these attacks.

Interests in cyber attacks as an adjunct to real-world conflict has increased since the denial of service attacks took out the internet infrastructure of Estonia in April last year. The attacks coincided with a dispute of the relocation of WWII-era monuments and affected Estonian parliament, bank, newspaper and government sites.

The assaults were blamed on Russian nationalists. Estonian Foreign Minister Urmas Paet suggested that the Kremlin may have had a hand in the attacks but no hard evidence has emerged to substantiate this accusation. Only one person, a locally-resident ethnic Russian, was convicted over the attacks.

Steven Adair from Shadowserver reports a multi-pronged distributed denial of service (DDoS) attack against the website of President of Georgia, Mikhail Saakashvili (www.president.gov.ge). For over 24 hours the website has been rendered unavailable. The attack began very early Saturday morning (Georgian time). Shadowserver has observed at least one web-based command and control (C&C) server taking aim at the website hitting it with a variety of simultaneous attacks. The C&C server has instructed its bots to attack the website with TCP, ICMP, and HTTP floods.

The server [62.168.168.9] which houses the website has been largely offline since the attack started. Passive DNS records show the system houses several other websites which are mostly unrelated to the Georgian government. However, the server does also host the Social Assistance and Employment State Agency website (www.saesa.gov.ge). This website along with the others on the host have been rendered inaccessible.

The C&C server involved in these attacks is on the IP address 207.10.234.244, which is subsequently located in the United States. Shadowserver recommends blocking and/or monitoring for traffic to this address. Currently it appears the host site for 207.10.234.244 has taken action against this system and appears to now be blocking access to it. However, the server being targeted by the C&C is still unreachable.

Recent DDoS attacks against various other neighbors of Russia to include Estonia have been quite popular in the last few years. We do not have any solid proof that the people behind this C&C server are Russian. However, the HTTP-based botnet C&C server is a MachBot controller, which is a tool that is frequently used by Russian bot herders. On top of that the domain involved with this C&C server has seemingly bogus registration information but does tie back to Russia.

Update (July 22): Georgian authorities denied this attack. According to Interfax, Georgian press center claimed that the website worked without difficulties and the reports about a DDoS attack are false.

On Friday, Internet movie database IMDB suffered a sustained distributed denial-of-service (DDoS) attack that coincided with Amazon.com being offline.

A senior member of Narus, a network protection and management company, said in a blog that he found evidence that at least one of the IP addresses used by IMDB fell under a sustained DDoS attack between 10:30 a.m. and 1:30 p.m. PDT Friday.

According to Narus, attempts to load the IMDB page via a direct connection to the Web server under attack (http://72.21.206.70/) did not load any images at all. It seems that IMDB is hosted using Amazon Web Service (AWS) since this IP-address is registered as belonging to Amazon. The duration of the attack on IMDB coincided with the amount of time that Amazon was offline on Friday.

The attacker seemed to open multiple connections with the IMDB’s Web server on port 80 while incrementing his source port for every new connection. The attack’s average rate was 3Mbits/sec, certainly not large enough to cause a complete overload but probably good enough to delay the legit users. However, there might have been other attacks launched at the same time on IMDB which weren’t in the path of Narus probes.

Update (June 10): A new attack hit Amazon’s US and UK sites Monday morning California time and lasted for about an hour, according to Keynote Systems, which monitors website performance. Visitors of the website received the message: “Http/1.1 Service Unavailable.”

In addition to the possibility of a targeted attack, there are speculations that the outage was inadvertently caused by bots programmed to scoop up the Metal Gear Solid 4 bundle, an 80-GB pack for the PlayStation3, which went on sale on Amazon on Friday.

Amazon declined to discuss the cause of the outages.

Websites run by Radio Free Europe have been under a fierce cyber attack that coincided with coverage over the weekend of a rally organized by opposition to the Belarusian opposition.

The distributed denial of service (DDoS) attack initially targeted only the RFE’s Belarus service, which starting on Saturday was inundated with as many as 50,000 fake pings every second. On Monday, it continued to be affected. At least seven other RFE sites for Kosovo, Azerbaijan, Tatar-Bashkir, Farda, South Slavic, Russia and Tajikistan, were also attacked but have mostly been brought back online.

The primary target was the Belarus service, which on Saturday - the 22nd anniversary of the Chernobyl nuclear disaster - offered live coverage of a rally in which thousands of people protested the plight of uncompensated victims and a government decision to build a new nuclear plant. Other Belarusian websites were also hit, including the Minsk-based nongovernmental organization Charter 97. There is no solid evidence, but the Belarusian government might be behind the attacks.

While a state-sponsored attack isn’t outside the realm of possibility, there was no mention that it might be the grassroots work of Belarusian nationalists. Recent attacks against CNN.com, were the work of Chinese hacktivists who downloaded and installed DDoS applications as a way of registering their displeasure of the news site’s recent coverage of demonstrations against the Olympic torch relay.

Attacks such as these were also waged last year against Estonia and are sometimes referred to as “asymmetric” because a relatively small group of individuals with modest means is able to hobble much a bigger target. It’s not hard to imagine that something similar is afoot in Belarus.

Regardless of who is behind the attacks, the result is same, and that is the protest coverage is being disrupted.