CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts

Archive for the ‘DDoS’ Category

Swedish IFPI Website Hit By Pirate Bay Supporters

Thursday, February 19th, 2009

Pirate Bay co-founder Peter Sunde has pleaded with fans to stop attacking official entertainment industry websites after the Swedish wing of the The International Federation of the Phonographic Industry’s (IFPI) site was hacked yesterday.

Sunde, who is among four men facing prosecutors representing the likes of Sony, MGM and Universal in the already infamous Pirate Bay trial, uncharacteristically put the boot in yesterday against the hackers.

“Our case is going quite well as most of you have noticed. In the light of that it feels very bad that people are hacking web sites which actually puts us in a worse light than we need to be in,” he said in a post on his “Copy Me Happy” blog.

“If anyone involved in the acts going on is reading this – please stop, for our sake. We don’t need that kind of support,” he added writing under his brokep moniker.

The trial underwent a dramatic turn of events on Tuesday when chief prosecutor Håkan Roswall scratched copyright infringement allegations against Sunde, Carl Lundström, Frederik Neij and Gottfrid Svartholm Warg from the charge sheet.

Meanwhile, ifpi.se remains out of action as day four of the case gets underway in the Stockholm district court.

The self-titled group The New Generation (Den Nya Generationen) was behind the website hackery and claimed it had attacked the website to show support of the defendants in the case.

According to Sunde, IFPI’s official Swedish website was not the only address targeted by internet intruders. He claimed hackers also gained access to ifpi.org and Sunde’s old domain ifpi.com, where a sneering broadside against the entertainment industry was displayed.

An IFPI spokesman confirmed that the Swedish site had indeed been hacked but claimed that both ifpi.org and ifpi.com had simply been hit by denial of service attacks.

Ladyboydolls.com Website Attacked By Recently Discovered Type Of DDoS

Tuesday, February 10th, 2009

A sustained cyber-attack against a niche pornography sites has demonstrated a novel way to inflict major damage on hardened targets using a modest amount of data, a security researcher has warned.

The ongoing attacks on several sites related to transvestite porn work by sending hundreds of thousands of domain name servers a steady stream of packets that contain little more than the character “.” The queries, which are forged so they appear to have been sent from sites such as ladyboydolls.com and triplexbonanza.com, prompt the DNS servers to respond to the targets with a list of the internet’s root servers, responses that contain about eight times more data than the initial request.

The attacks began in mid January and have used some 750,000 DNS servers to spew about 5Gbps worth of junk response packets at one victim alone, said Phil Rosenthal, CTO of ISPrime, an internet provider for one of the sites being attacked. The company has since been able to mitigate the attack using a variety of methods.

The technique tricks the net’s authoritative name servers into bombarding innocent victims with more data than they can handle. It is growing increasingly common and it’s likely only a matter of time before commercial attack kits add it to their arsenal, said Don Jackson, a researcher with Atlanta-based security provider SecureWorks. He also warned there is no easy fix because any remedy will potentially require settings for millions of DNS, or domain-name system, servers to be individually changed.

“The amplifiers in this attack are name servers configured to what is considered best practices,” Jackson told The Register. Preventing the attack will require administrators to make changes to the software running each vulnerable DNS server on the internet, he added.

The amplification technique exploits an artifact in the net’s DNS from the days when it was considered harmless for a name server to respond to misdirected name queries with the name of a more appropriate server to make the request. Read together, RFCs 1034, 1035 and 1912 call for name servers that are queried for the location of the root servers to honor the request, Jackson and others say.

“There’s really no reason to tell the requester that information,” said Randal Vaughn, a professor of information systems at Baylor University and an expert in DNS amplification. “The problem is more related to the fact that at one time DNS servers would need to ask each other for help. When name servers started out, there were assumptions made that requests are legitimate, so we’ll answer them.”

Credit: The Register

New DNS Amplification Method Allows Distributed Denial Of Service Attack

Friday, February 6th, 2009

A new DDoS attack, known as DNS Amplification, has been used sporadically since December. It started getting attention last month when ISPrime, a small New York Internet service provider, started getting hit hard with what’s known as a distributed denial of service (DDOS) attack. The attack was launched by the operator of a pornographic Web site who was trying to shut down a competitor, hosted on ISPrime’s network, according to Phil Rosenthal, the company’s chief technology officer. The fight between two pornographic Web sites turned nasty when one figured out how to take down the other by exploiting a previously unknown vulnerability in the Internet’s Domain Name System (DNS).

The attack on ISPrime started on the morning of Sunday, Jan. 18. It lasted about a day, but what was remarkable was that a relatively small number of PCs were able to generate a very large amount of traffic on the network. One day later, a similar attack followed, lasting three days. Before ISPrime was able to filter the unwanted traffic, attackers were able to use up about 5GB/second of the company’s bandwidth.

With a bit of work, Rosenthal’s staff was able to filter out the hostile traffic, but in an e-mail interview he said that the attack “represents a disturbing trend in the sophistication of denial of service attacks.”

According to Don Jackson, director of threat intelligence at security vendor SecureWorks, we may soon see a lot more of these DNS Amplification attacks. Late last week, the botnet operators, who rent out their networks of hacked computers to the highest bidder, started adding custom DNS Amplification tools to their networks.

One of the things that makes a DNS amplification attack particularly nasty is the fact that by sending a very small packet to a legitimate DNS server, say 17 bytes, the attacker can then trick the server into sending a much larger packet, about 500 bytes, to the victim of the attack. By spoofing the source of the packet, the attacker can direct it at specific parts of his victim’s network.

Jackson estimates that the 5GB/second attack against ISPrime was achieved with just 2,000 computers, which sent out spoofed packets to thousands of legitimate nameservers, all of which started flooding the ISPrime network. ISPrime’s Rosenthal says that about 750,000 legitimate DNS servers were used in the attack on his network.

One of the things that makes the attack particularly nasty is that it’s very hard to protect against. The only real defense is to ask upstream provider to filter the malicious traffic.  It’s not something the victim can do by themselves.

DNS-OARC has published some information on how to prevent BIND DNS servers from being used in one of these attacks. Microsoft was unable to immediately provide information on how to mitigate this particular attack on its own products.
Here can be found technical analysis of the DNS Amplification attack by SecureWorks.

Credit: Robert McMillan, IDG News Service, PC World

DDoS Attack Hits Internet Service Providers In Kyrgyzstan

Wednesday, January 28th, 2009

Kyrgyzstan, a republic located in central Asia, was effectively knocked offline for more than a week by a Russian cybercriminals that continues to flood the country’s internet providers with crippling data attacks, according to Don Jackson, a researcher with Atlanta-based security provider SecureWorks.

The attacks, which began on January 18, bear the signature of pro-Russian nationalists believed to have launched similar cyber assaults on the republic of Georgia in August. The attacks on Kyrgyzstan were so potent that most net traffic in and out of the country was completely blocked during the first seven days.

Over the past 48 hours, ISP have managed to mitigate some of the damage by relocating the servers of their biggest customers to different IP address ranges and employing a technique known as source filtering, which is designed to block harmful traffic while still allowing friendly packets through. Some media organizations and government opposition groups in the country of 5.3 million have not been so fortunate.

Representatives from Kyrgyzstan Domain Registration Service and a service known as www.ns.kg didn’t respond to requests for comments. The two services carry about 80 percent of the country’s traffic, Jackson said.

Researchers from Arbor Networks, which monitors worldwide internet traffic for attacks and other anomalies, said they weren’t seeing any malicious traffic directed toward Kyrgyzstan. Arbor’s Jose Nazario said that was most likely because of a “visibility issue” resulting from the company “not tracking the right botnets.”

The culprits in the attacks on Kyrgyzstan are most likely a group of technically capable Russian citizens recruited by Russian officials, Jackson said. The vast majority of the drones that are bombarding the Kyrgyz targets are located in Russia. The geographic concentration makes source blocking a more effective countermeasure than when the bots are scattered throughout the world.

Jackson speculated the attacks are designed to silence opponents of Kyrgyz President Kurmanbek Bakiyev, who are demanding the leader reverse his plans to close an airbase to the US military in its war in Afghanistan. The Russian government wants the base closed, Jackson said.

The attacks are the latest example of geopolitical disputes spilling into cyberspace, a trend that’s been growing in the past few years. Web and email traffic in Estonia came to a standstill in May of 2007 after civil unrest over that country’s removal of a Soviet-era memorial was accompanied by attacks on the Baltic nation’s internet infrastructure. Attacks on websites belonging to the Georgian government, on Radio Free Europe and cable television network CNN by Chinese hackers follow a similar pattern.

Credit: The Register

Overclockers.co.uk Offers Reward For DDoS Attackers Information

Thursday, January 22nd, 2009

Overclockers.co.uk is offering a £10,000 reward for information leading to the conviction of attackers who have targeted the technology website in a DDoS lasting over a week. Overclockers is a hybrid hardware hacker enthusiast site and online computer kit reseller set up back in 1999 by Web designer Mark Proudfoot and PC reseller Peter Radford.

In a forum posting on Wednesday, Overclockers.co.uk placed a bounty of the head of cybercrooks who have mounted an attack that has left its online store and forum servers running at a crawl for the last ten days.

The money will be payable to anyone whose information leads to an arrest and conviction against the perpetrators of the attack. Tips can be submitted anonymously, by email.

Overclockers stressed that the attacks are simply affecting the availability of servers, which are been flooded with a torrent of junk data as a result of the assault, and not the security of data held by or processed through the site. The site has likely suspects in mind, but needs more evidence to take to the police:

Over the last 10 days OcUK servers have been subject to sustained DDoS attacks that have disrupted our on-line store and forums servers. Instigating these kind of attacks is a serious criminal offence and whilst we have strong suspicions who is behind them we need more evidence.

I am offering £10,000 to anyone who can provide evidence that leads to a conviction. You can provide this information anonymously if you want to viajobs@overclockers.co.uk but the evidence must be something that SOCA (Serious Organised Crime Agency) can use. If you do reveal your identity we will only disclose it to the Police with your permission.

I’d like to apologise to all our customers and forum members for any inconvenience caused. I cannot discuss what action is being taken to protect OcUK from these attacks but I assure you wheels are in motion.

Overclockers is applying unspecified security measures, which likely involve traffic filtering by its ISP and the application of DDoS mitigation tools to defend against the attack. Distribute denial of service attacks are nowadays almost always run from networks of compromised machines (botnets), hired for the purpose.

Credit: The Register

GoDaddy.com Hosting Hit By A Major Denial-of-Service Attack

Thursday, January 15th, 2009

A distributed denial-of-service (DDoS) attack took offline several thousand Web sites hosted by GoDaddy.com Wednesday morning. The outage was intermittent over several hours, according to Nick Fuller, GoDaddy.com communications manager. Neither e-mail nor DNS services were interrupted.

While users on GoDaddy`s forums complained about mail services outages and at least several thousand Web sites unreachable, Fuller said that only a very small percentage of sites were unreachable but would not provide exact numbers “because of security reasons.”

GoDaddy.com’s voice mail system pointed to its support page for more information about the outage and when it would be corrected but there was no information about it there. GoDaddy.com was hit in November 2005 with a similar denial-of-service attack that affected 600,000 of its customers’ hosted Web sites for about an hour.

AlertPay.com Hit By A Massive DDoS Attack, Outage Took A Day To Resolve

Monday, December 1st, 2008

Millions of account holders at privately owned online payment gateway, AlertPay.com, weren’t able to do business through the service yesterday. According to a notice left by a company representative, AlertPay was under a large scale DDoS attack.

Seven hours of downtime right in the middle of the Christmas shopping season with millions of businesses using the service affected, isn’t coincidental. This DDoS attack, just like the recent DDoS attack again a popular anti-fraud site, may have well been outsourced.

AlertPay’s statement on the situation posted yesterday states:

We are currently experiencing a large scale DDOS attack that has hit our sites which started at approximately 6:00am EST Sunday. We are working with our data center to resolve and/or mitigate this issue. More information will be posted here as we get updates. For the time being customers can connect to AlertPay at an alternate location: https://67.205.87.226

Several hours later, AlertPay issued an update:

We have finally mitigated the massive DDOS attack that started at 6:00am EST. Unfortunately it took almost all day to resolve. The site is operational now, and hopefully we’ll continue to tweak it more tomorrow to ensure this doesn’t happen again. We sincerely apologize for the inconvenience and we understand that this outage affects each of you personally. We’re sorry for that. We will continue to put measures in place so that outages like this do not occur again.

It is unclear who exactly is behind this DDoS attack. It might be an unethical competition which in times of international economic meltdown can easily restore its market position by damaging the reputation and reliability of known competitor. It could also be cybercriminals who got a reason to damage a particular online payment processor that has, for example, detected their fraudulent activity, thereby causing them huge monetary losses.

Despite the fact that online payment gateways have always been targets for DDoS extortionists, with malicious attackers introducing DDoS services for hire, they have empowered literally everyone knowing how to contact them with the opportunity to forward the responsibility for an attack to a third-party.

AlertPay is not the first payment gateway who got hit by a DDoS during the last couple of years. In 2004 four large online payment processors got hit: Worldpay, Authorize, Authorize-It and 2Checkout. In 2006 – StormPay, in 2008 – LibertyReserve.

Anti Fraud Site Bobbear.co.uk Hit By A DDoS Attack

Monday, November 17th, 2008

Unidentified cyber criminals have launched a denial of service attack on a UK-based anti-fraud website. The popular anti-fraud site Bobbear.co.uk is currently under a DDoS attack (distributed denial of service attack) that is continuing to hit the site with 3/4 million hits daily from hundreds of thousands of malware infected hosts mostly based in Asia and Eastern Europe, according to the site’s owner.

Bobbear.co.uk, which fights money laundering by warning about groups attempting to recruit mules, was left unreachable on Monday after coming under a distributed denial of service attack. Net security firm Sophos reports that the site was taken out by an assault from a botnet of compromised PCs that began late on Sunday. The timing of the assault coincides with the launch of Get Safe Online week in the UK.

According to site admin Bob Harrison, “Undoubtedly it is simply a response to the work I do in highlighting the mainly Russian money laundering and reshipping frauds that are currently plaguing the internet and wrecking the lives of innumerable victims.” Harrison has reported the attack to the Met’s computer crime unit and to Russian domains linked to the assault.

It’s not the first time the site has come under fire from cybercrooks. In October 2007 a spam campaign sought to discredit Bobbear by bombarding all and sundry with supposed begging requests. In reality the “Joe Job” junk mail messages, asking for donations through online payment service e-Gold, were nothing to do with site administrator Bob Harrison or Bobbear.co.uk. UK hosts Fasthosts unwittingly aided fraudsters by temporarily suspending the Bobbear.co.uk domain in response to complaints about the fraudulent emails.

Targeted DDoS attacks against anti-fraud and volunteer cybercrime fighting communities clearly indicate the impact these communities have on the revenue stream of scammers, and with Bobbear attracting such a high profile underground attention, the site is probably doing a very good job.

BBC Website Hit By DDoS Attack

Tuesday, November 11th, 2008

The British Broadcasting Corporation (bbc.co.uk) was hit by a DDoS attack on Thursday, according to a statement sent to the Inquirer. The BBC said the attack originated in a number of different countries but didn’t specify which. When the BBC techies blocked international access to a limited subset of servers, it resulted in a marked improvement of the serving of bbc.co.uk. Service supplier Siemens was forced to block addresses and prevent the attack using other methods like changing the DNS settings.

The attack appears to have lasted for 1 hour and 15 minutes, which is the longest time the site has been offline during the entire 2008, was also confirmed by the distributed uptime monitoring company Pingdom earlier today. During the attack, the BBC website responded very slowly, and our monitoring shows that for a total of 1 hour and 15 minutes it did not respond at all. The downtime was spread over multiple short intervals, lasting just a few minutes each time. The attack lasted the entire evening. It started to have an effect after 5 p.m. CET and the performance was not back to normal until after 10 p.m. CET. Analyzing the response times of the website clearly shows the effect the DDoS attack had on the performance of the BBC website.

With the lack of specific details regarding the DDoS attack provided by the BBC, the reason for this attack is unclear.

Norwegian BitTorrent Tracker Norbits Under DDoS Attack

Friday, September 19th, 2008

Norbits, the largest Norwegian BitTorrent tracker is going through some rough times. For several days now, the site has been offline due to a DDoS attack. The site has allegedly been hacked by a group called MORRADi, which is also speculating that it has managed to compromise the tracker and is threatening to release personal details of its users including IPs, until the tracker is closed.

Norbits is a medium sized community with over 10,000 members, most of them from Norway. Norbits has suffered downtime because of DDoS attacks before, but this time the threat may be more serious than that.

A group called MORRADi takes responsibility for the attack on Norbits. A message released by the groups says (translated): “Once again we show our power! Once again we show your foolishness! This is not the first time we have done it, and it won’t be the last. Enough is enough, you are becoming a real nuisance, and you are also a bunch of idiots that try to hide, so it’s high time we punish you! P2P is not something we want, when will you understand that? Do we have to take it as far as publishing your user database online?”

The message seems to suggest that “sceners” are behind the hack and the attacks, since they don’t want their releases shared on BitTorrent trackers.

This is the second time the tracker has been under a DDoS attack for the past two years, and no matter how futile the ambitions of the attackers are in respect to targeting the tracker due to the fact that it’s promoting the use of P2P, the success of Norbits seems to have already pissed off the local warez scene.

Further investigation indicates a conflict of interest on the Norwegian warez scene, with old school FTP warez groups. The attack is very similar to an apparently still active campaign courtesy of old school warez traders, named “Destroying The P2P’s, One Step at a Time”, whose objective is to expose the owners of BitTorrent trackers, compromise their security and leak personally identifiable information of its users in order to damage their reputations.

DDoS attacks are not an unusual event for many private BitTorrent trackers. Although they are sometimes used as an excuse for server issues, most of the larger trackers have been subject to such attacks at least once.