Jump to content

Search the Community

Showing results for tags 'DDOS'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 17 results

  1. DDoS Mitigation Firm Founder Admits to DDoS A Georgia man who co-founded a service designed to protect companies from crippling distributed denial-of-service (DDoS) attacks has pleaded to paying a DDoS-for-hire service to launch attacks against others. Tucker Preston, 22, of Macon, Ga., pleaded guilty last week in a New Jersey court to one count of damaging protected computers by transmission of a program, code or command. DDoS attacks involve flooding a target Web site with so much junk Internet traffic that it can no longer accommodate legitimate visitors. Preston was featured in the 2016 KrebsOnSecurity story DDoS Mitigation Firm Has History of Hijacks, which detailed how the company he co-founded — BackConnect Security LLC — had developed the unusual habit of hijacking Internet address space it didn’t own in a bid to protect clients from attacks. Preston’s guilty plea agreement (PDF) doesn’t specify who he admitted attacking, and refers to the target only as “Victim 1.” Preston declined to comment for this story. But that 2016 story came on the heels of an exclusive about the hacking of vDOS — at the time the world’s most popular and powerful DDoS-for-hire service. KrebsOnSecurity exposed the co-administrators of vDOS and obtained a copy of the entire vDOS database, including its registered users and a record of the attacks those users had paid vDOS to launch on their behalf. Those records showed that several email addresses tied to a domain registered by then 19-year-old Preston had been used to create a vDOS account that was active in attacking a large number of targets, including multiple assaults on networks belonging to the Free Software Foundation (FSF). The 2016 story on BackConnect featured an interview with a former system administrator at FSF who said the nonprofit briefly considered working with BackConnect, and that the attacks started almost immediately after FSF told the company’s owners they would need to look elsewhere for DDoS protection. Perhaps having fun at the expense of the FSF was something of a meme that the accused and his associates seized upon, but it’s interesting to note that the name of the FSF’s founder — Richard Stallman — was used as a nickname by the co-author of Mirai, a potent malware strain that was created for the purposes of enslaving Internet of Things (IoT) devices for large-scale DDoS attacks. Ultimately, it was the Mirai co-author’s use of this nickname that contributed to him getting caught, arrested, and prosecuted for releasing Mirai and its source code (as well as for facilitating a record-setting DDoS against this Web site in 2016). According to a statement from the U.S. Justice Department, the count to which he pleaded guilty is punishable by a maximum of 10 years in prison and a fine of up to $250,000, or twice the gross gain or loss from the offense. He is slated to be sentenced on May 7. Source: DDoS Mitigation Firm Founder Admits to DDoS (KrebsOnSecurity - Brian Krebs)
  2. Investigators tracked him down after he logged into his rented servers using his home IP addresses. An Illinois man pleaded guilty today for running eight DDoS booter (stresser) services between August 2015 and November 2017. According to court documents obtained by ZDNet, Sergiy Usatyuk, 20, of Orland Park, Illinois, ran ExoStress.in, QuezStresser.com, Betabooter.com, Databooter.com, Instabooter.com, Polystress.com, Zstress.net, and Decafestresser, together with an unnamed Canadian co-conspirator. Authorities said Usatyuk ran these services on top of a botnet comprised of at least 31 powerful servers that the two rented from two US cloud hosting providers. Investigators said Usatyuk advertised the DDoS stressers on HackForums.net, an infamous hacking forum, under the name of "Andy." "You can DDOS any IP you want, we don't care," Usatyuk said in one of his HackForums posts before the forum's administrators decided to ban the advertising of DDoS booters on their site altogether, back in October 2016. Court documents say users who signed up on Usatyuk's sites launched 3,829,812 DDoS attacks against thousands of companies, causing hundreds of thousands of downtime. At the time of his arrest, US prosecutors seized 10.74 bitcoin (worth $542,924 at the time) from Usatyuk's account, which they believed he made from running the eight DDoS-for-hire portals. Court documents reveal that police tracked down Usatyuk after he logged into one of his rented cloud servers using an IP address that resolved back to his former residence in Darien, Illinois, and later logged into another rented cloud server using an IP address that resolved back to his current home in Hollywood, Florida, cementing him as the primary suspect behind the booters. With this information, authorities tracked down Usatyuk's server network, server payments, and even a hosting company he incorporated in Delaware named OkServers LLC, which security researchers said acted like a bulletproof hosting provider, ignoring abuse reports for the traffic it generated. They also gained access to Usatyuk's online chat logs where he provided technical support for customers of his DDoS booters and ran the sites with his co-conspirator. Authorities tracked down Usatyuk despite the suspect discussing with his co-conspirator about removing server access logs to hide evidence following the high-profile arrest of a similar DDoS booter operator in the UK. US authorities started an investigation into Usatyuk's services after his sites were at the center of many DDoS attacks in 2016. For example, ExoStresser was used to launch DDoS attacks against a major video game manufacturer, and a Pennsylvania student used BetaBooter to attack her school's network, also bringing down the IT systems of 17 other organizations in a domino effect. Usatyuk's DDoS-for-hire sites were so popular that he also sold advertising space in their backends to other DDoS booters. His criminal endeavors were also noticed by PayPal, which banned ExoStresser's account in early 2016. This, in turn, made Usatyuk register irngur.org, which he used as an intermediary domain to receive funds made from renting the service. In recent years, law enforcement agencies have been cracking down on major DDoS stresser services. Internationally-coordinated operations have taken place in December 2016, April 2018, and December 2018, and more recently authorities have started going after both admins and users of these services alike. Article updated with extra information on OkServers LLC. Source
  3. Ukrainian Police have this week busted out two separate groups of hackers involved in carrying out DDoS attacks against news agencies and stealing money from Ukrainian citizens, respectively. According to the authorities, the four suspected hackers they arrested last week, all aged from 26 to 30 years, stole more than 5 million Hryvnia (around 178,380 USD) from the bank accounts of Ukrainian citizens by hacking into their computers. The suspects carried out their attacks by scanning vulnerable computers on the Internet and infecting them with a custom Trojan malware to take full remote control of the systems. The group then apparently enabled key-logging on the infected computers in an attempt to capture banking credentials of victims when the owners of those infected computers fill in that information on any banking site or their digital currency wallet. Once getting a hold on the victims banking and financial data, the attackers logged into their online banking accounts and transferred the funds or cryptocurrencies to the accounts controlled by the attackers. Besides stealing money, the suspects also left the backdoor on the victims' computers for further control, so that they can use them in the future for carrying out other illicit activities. Criminal proceedings against all the four people have been initiated under several articles of the Criminal Code of Ukraine, including theft and unauthorized interference with the work of computers, automated systems, computer networks or telecommunication networks. Two Ukrainian DDoS Hackers Arrested In a separate press release, Police today announced the arrest of two other hackers, 21- and 22-years-old, suspected of performing DDoS attacks against several critical Ukrainian resources, including news sites of the city of Mariupol and several state educational institutions. According to the authorities, the duo developed two DDoS hacking tools which they used to send hundreds of automatic queries to their targeted regional information resources every second, eventually making their service unavailable. The pair is currently facing up to six years in prison under article 361 of the Criminal Code of Ukraine, which includes unlawful interference with the work of computers, automated systems, computer networks or telecommunication networks. Source
  4. After a house search, hacker tried to flee to Cuba in a boat but needed help and was rescued by a Disney cruise ship. A Massachusetts man was sentenced today to ten years in prison for launching DDoS attacks on behalf of the Anonymous hacker collective against US children's hospitals in 2014 Martin Gottesfeld, 34, was also ordered to pay $443,000 in restitution for damages caused by his DDoS attacks, which he allegedly carried with the help of a botnet made up of over 40,000 internet routers. The attacks were part of #OpJustina, a campaign of the Anonymous hacker collective, which Gottesfeld backed and was a primary force. The campaign aimed to raise public interest in the case of Justina Pelletier, a young girl who was separated from her parents after a diagnosis made by Boston Children's Hospital medical staff. Although the girl was eventually reunited with her parents a year later after it was revealed that doctors misdiagnosed her condition, at the time of the events in 2014, Gottesfeld decided to support her parents' case by launching DDoS attacks against the Wayside Youth and Family Support Network, a Framingham-based mental health counseling clinic where Pelletier was held, but also against Boston Children's Hospital and other Longwood Medical Area hospitals. The attacks, described as huge at the time, knocked the Boston Children's Hospital offline for days, and authorities said they disrupted the hospital's day-to-day operations and its research capabilities. Authorities eventually tracked Gottesfeld by a video he uploaded on YouTube, according to court documents. They searched his house but did not arrest him in 2014. Gottesfeld tried to flee to Cuba in a rented boat, but the trip didn't go as planned. They were rescued from the Gulf of Mexico by a Disney ship that answered their SOS call and brought back to the US. He was arrested in 2016 and tried to protest his prosecutor's assignment by entering a hunger strike. The prosecutor assigned to the case was the same who went after Internet activist Aaron Swartz in 2013 and hacker Jonathan James in 2008, both of whom committed suicide following what families described as overly aggressive prosecution tactics. Gottesfeld was found guilty in August 2018 of one count of conspiracy to damage protected computers and one count of damaging protected computers. He faced up to five years in prison for the conspiracy charge and another ten years for the count of damaging protected computers. Dana Gottesfeld, the suspect's wife, told ZDNet in an email the sentence was "incredibly harsh and way more than people usually get for CFAA violations." "It's also a really stark contrast that Marty got 10 years and Boston Children's Hospital, who literally abused a child, are protected from any kind of accountability," she added. Mrs. Gottesfeld, who has been married to Mr. Gottesfeld for three years, says they plan to file an appeal. She also showed her dissatisfaction toward the court dismissing a 690-page affidavit listing the judge's alleged conflict of interests in the matter of this case. A much more in-depth look at the Gottesfeld case is available in this reporter's previous coverage for Bleeping Computer. Article updated shortly after publication with Mrs. Gottesfeld's comments. Source
  5. 4 biggest internet service providers in Cambodia have been attacked by large-scale DDoS attacks. The motivation behind the series of attack is unknown as there hasn’t been any hacktivist campaigns or ransom demanded. Recently, numerous Cambodia’s internet service provider giants were attacked by a large-scale DDoS attack within the last few days. This report indicated that users of Digi, Telcotech, SINET, and EZECOM confirmed challenges accessing online services throughout the week. Most of these issues became serious on Monday, and Tuesday, one report indicated. However, local news in Cambodia called the recent “DDoS attack” as the biggest attack to have occurred in the history of the country. Sources familiar with the incident reveal that DDoS attacks totaling about 150Gbps have struck Cambodian ISPs on Monday. This attack leads to a downtime, which lasted for almost half a day with internet access speeds slowed down throughout the week. Similarly, smaller-sized DDoS attacks have continued to hit the Cambodian ISPs. On Monday, SINET issued a press release apologizing for the technical problems faced throughout the country as it affects internet connectivity. In a similar fashion, EZECOM released its statement. However, in a swift reaction, some users pointed out that EZECOM, which is a company that offers DDoS mitigation services didn’t have the capacity to safeguard its infrastructure on its own and required outside specialists to solve the issues. This recent DDoS attacks on ISPs in Cambodian were flagrantly evident as internet traffic charts indicated a big connectivity dip along with latency spikes observed immediately. The primary reason behind this attack is unknown. The ISPs haven’t reported that a ransom demand is requested, neither has there been any chatter regarding the issue on social media by any hacktivist campaigns. The ISPs are still trying to figure out the motivation behind this attack considering the fact that the country is not in any civil or political unrest. Besides this, there have been a series of attacks on websites and companies. However, security experts have advised internet users to be on the watch out as these attacks may continue to rise. Past History of a similar attack by a UK Citizen Another theory that is been suggested is that the incident may be an inter-ISP sabotage considering previous happenings. In a similar incident in November 2016, a notorious DDoS botnet targeted and took down some of Liberia’s internet service providers. The attack perpetrated by a UK teen with the hacker pseudonym “BestBuy” had a rough estimate of 500Gps. Later, the attacker admitted in a German court to have perpetuated the DDoS attack after being paid the sum of $10,000 by an ISP provider in Liberian to take down its competitors. Source
  6. Memcached servers can be hijacked for massive DDoS attacks By Andy Patrizio, Network World | Feb 28, 2018 12:21 PM PT Any Memcached server not behind a firewall is at risk of being hit by a DDoS attack. A flaw in the implementation of the UDP protocol for Memcached servers can allow anyone to launch a massive Distributed Denial of Service (DDoS) attack with little effort. The problem was first discovered by the 0kee Team from China, which published a paper about it (pdf). This past week, security researchers at content delivery network (CDN) specialist Cloudflare also wrote about the issue. And CDN specialist Akamai and security provider Arbor Networks recently published their findings. Memcached is a Web-based massive memory cache for database-driven sites, such as websites, that caches the most frequently retrieved data and keeps it in memory rather than getting it from the hard disk over and over again. It is a combination of open-source software and standard server hardware that consists of memory, memory, and more memory. What researchers found is Memcached developers have implemented support for the UDP protocol in an unsecure way. Cloudflare said it detected several DDoS attacks carried out via exposed Memcached servers in the past few days, which is what led to the discovery. “Over last couple of days, we've seen a big increase in an obscure amplification attack vector — using the memcached protocol, coming from UDP port 11211,” the company wrote in a blog post. Poorly implemented UDP puts exposed Memcached servers at risk for DDoS attack Cloudfare said because UDP wasn't implemented properly, hackers can send a tiny, byte-sized request to an exposed Memcached server, and instead of responding with a response of similar size, it responded with packets that are sometimes thousands of times bigger than the initial request. A carefully prepared technique allows an attacker with limited IP spoofing capacity, such as 1Gbps, to launch very large attacks reaching hundreds of gigabits per second, Cloudflare reported. The company cited one recent DDoS attack launched against its network where attackers sent 15-byte packets and Memcached servers responded with 750KB packets. Because it's the UDP protocol, which does not require a source address in its headers, the packet's original IP address can be easily spoofed. So an attacker can trick the Memcached server into sending oversized response packets to another IP address, the hapless target. Memcached servers also expose their UDP port to external connections in the default configuration, meaning any Memcached server not behind a firewall can be abused for a DDoS attacks right now. The fix is fairly easy, and Cloudflare spells it out in their report. Memcached server users should disable their UDP port immediately and place these servers on private networks behind firewalls. SOURCE
  7. The UK police has been trying a new technique to reduce drug trades by remotely disabling drug dealers' phones, rendering the task of contacting their customers useless. Officers have referred to this method as a "DDoS-style" technique, although it could mean anything. Alex Murray, an official from West Midlands Police, spoke at the Society of Evidence Based Policing (SEBP) conference last week about the method used. He explained it as a way to deny targeting offenders their supply network, according to conference attendee Dan Reynolds, a serving officer in Cheshire. In May of last year, the UK police was already said to be working on remotely disabling phones through the Drug Dealing Telecommunications Restriction Orders Regulations, even if no crime was to be committed. In a section of the DDTRO, it is specified that the UK police could send a restriction order to a telecommunication provider in order for any phone service to be disabled remotely by the telco company, which is most likely what law enforcement is truly doing instead of a real DDoS attack on the dealers' phones. According to a copy of the regulation, devices can be identified by their IMEI, its IMSI, an Android ID and much more. This system would be put in place if the police cannot prosecute a drug dealer, but would still like to put a hold or interfere with the drug trades and their supply channel. The West Midlands Police, as well as the National Crime Agency, both declined to further comment on the matter as they are not allowed to discuss the techniques used by law enforcement on stopping drug-related crimes. Modmy.com
  8. Major DDoS attacks cost some organizations more than $100,000 in 2017, according to a new NETSCOUT Arbor report. Distributed denial-of-service (DDoS) attacks are more complex and cause more financial damage than ever, new data shows. According to NETSCOUT Arbor's 2017 Worldwide Infrastructure Security Report published today, the number of DDoS attacks that cost organization between $501 to $1,000 per minute in downtime increased by 60%. In addition, 10% of enterprises estimated a major DDoS attack cost them greater than $100,000 in 2017, five times more than previously seen. Now in its 13th year, the report is based on 390 responses from a service providers, hosting, mobile, enterprise, and other types of network operators from around the world. A full 66% of all respondents identify as security, network, or operations professionals. Gary Sockrider, principal security technologist with NETSCOUT Arbor, says out that there was a 20% increase in multi-vector attacks in 2017 compared to the previous year. Multi-vector attacks combine high-volume floods, TCP state exhaustion attacks, and application-layer attacks in a single sustained offensive, which makes the attacks more difficult to mitigate and increases the attackers chance of success. "We found that nearly half the group said they experienced a multi-vector attack," Sockrider says. "Along with revenue loss, companies also experience customer and employee churn as well as reputational damage," he says. DDoS attacks last year originated primarily from China, Russia, and inside the US, according to the report. The top motivators for the attacks were online gaming-related (50.5%), criminals demonstrating DDoS capabilities to potential customers (49.1%), and criminal extortion attempts (44.4%). Political/ideological disputes were fifth on the list at 34.5%. Sockrider says due to the global shortage of IT security talent, many respondents were turning to automation for DDoS mitigation: 36% of service providers use automation tools for DDoS mitigation, and 30% of providers employ on-premise or always-on cloud services for thwarting these attacks. Meantime, researchers at Imperva researchers developed a list of the Top 12 DDoS Attack Types You Need to Know. Among them: DNS Amplification: In a reflection type of attack, a perpetrator starts with small queries that use the spoofed IP address of the intended victim. Exploiting vulnerabilities on publicly-accessible DNS servers, the responses inflate into much larger UDP packet payloads and overwhelm the targeted servers. UDP Flood: The perpetrator uses UDP datagram–containing IP packets to deluge random ports on a target network. The victimized system attempts to match each datagram with an application, but fails. The system soon becomes overwhelmed as it tries to handle the UDP packet reply volume. DNS Flood: Similar to a UDP flood, this attack involves perpetrators using mass amounts of UDP packets to exhaust server-side resources. However, in this attack the target is DNS servers and their cache mechanisms, with the goal being to prevent the redirection of legitimate incoming requests to DNS zone resources. source
  9. One of the largest and most sophisticated distributed denial of service (DDOS) attacks has hit a controversial online democracy poll canvassing opinion on future Hong Kong elections. Over the weekend some 680,000 people cast votes in the unofficial poll that offered residents of special administrative region to highlight their preferred political representatives. Candidates were officially chosen by a 1,200-strong committee that was widely considered to be very sympathetic to Beijing. Security outfit CloudFlare said it was still fending off the sophisticated DDoS attack as of Monday morning, long after the polls closed. The company's founder and CEO Matthew Prince said it was the most sophisticated attack yet seen. "We saw 300Gbps at the peak of the attack, but it was likely significantly larger than that," Prince told The Register. "This may well have been the largest attack we, or anyone else, have ever seen. It definitely was the most sophisticated." While perpetrators were not named, Popvote.hk was an obvious direct threat to Beijing which had planned to introduce universal suffrage for Hong Kong by 2017 at the earliest. Cloudflare says it was tipped off ahead of the compute-draining attacks and set up a series of DNS sinkholes that stonewalled the attack traffic so it never reached Cloudflare or Popvote.hk. "Since we had advanced warning the attack was coming, we'd put in place measures to sinkhole traffic in certain regions so it never hit our network," Prince said. This is new: Layer 7 HTTPS flood that prioritizes TLSv1/DES-CBC3-SHA, which is CPU intensive. #clevergirl — Matthew Prince (@eastdakota) June 20, 2014 The website was closed off to residents outside of Hong Kong to minimise load on the site. Source
  10. Several torrent sites hosted at Genious Communications have been suffering from DDoS attacks of up to 30 gigabits per second. Thus far the identity of those behind the attacks remains a mystery, but the CEO of the hosting service isn't ruling out the involvement copyright watchdogs. BitTorrent trackers are no strangers to Distributed Denial of Service (DDoS) attacks. Pretty much all sites of a respectable size are targeted on occasion by unknown sources. In most cases these attacks don’t last too long, but every now and then they get more serious. For example, in recent weeks several French torrent sites have had to deal with a serious flood of unwanted connections, rendering the sites and trackers in question unavailable. The Morocco-based provider Genious Communications hosts several of the affected torrent sites, including smartorrent.com and cpasbien.pe. To find out more TorrentFreak contacted CEO Hamza Aboulfeth, who told us that the attacks come in all shapes and sizes. “The biggest attack was on smartorrent.com where we had over 30 Gbit/s which gave us no choice but nullroute the IP at the moment of the attack,” Aboulfeth says. The attacks range from common HTTP floods to UDP and SYN flood attacks and huge botnets. As a result, Genious has migrated several clients over to a specialized DDoS protection setup. “We have our own professional DDoS protection system so we had to move some of our clients to it, the rest just moved to Cloudflare where they offer decent protection for a reasonable price,” Aboulfeth says. The biggest challenge is to mitigate the attacks on trackers as these are not dealing with regular HTTP requests, but so far the company has managed to take the edge off the assaults. The attacks started a few weeks ago and have been continuing ever since at varying intensities. They are all targeted at several of Genious Communications’ file-sharing related clients, but the identities of the individuals behind them remains a mystery. Aboulfeth hasn’t heard of any cash demands, which excludes the extortion scheme several other sites were subjected to earlier this year. According to the CEO, it’s most likely that competitors or an anti-piracy group are behind the attacks. “I think the attacks are most likely coming from competitors or some copyright agency,” Aboulfeth says. “One common thing is they are all French torrent websites, and I know for a fact that I have been contacted by someone hosted somewhere else claiming that one of our clients is attacking him, and of course my client is denying that,” he adds. In the long term the sites have no other option than to make sure that they can cope with the DDoS attacks. In most cases they eventually pass, without their victims ever knowing what their purpose was. Source: TorrentFreak
  11. PointDNS says most of its DNS servers are online again after a massive DDoS attack late last week took down the service provider. A post on the company’s Twitter account on Friday said the provider was adding nameservers and working with network providers to restore service to its customers. Many of those same customers took to social media complaining about downtime and unavailability of their own websites and services. According to its website, PointDNS services more than 220,000 domains worldwide. Earlier today, a post from parent company Copper.io said services were “back to normal.” This was the second large attack against a DNS provider in the last two weeks. On April 30,UltraDNA mitigated a DDoS attack that kept most of its customers offline for the better part of a day. The SANS Institute’s Internet Storm Center said the attack peaked at 100 Gbps against one of UltraDNS’ customers. The attack resulted in latency issues for other UltraDNS customers. Last week, Incapsula, a cloud-based application delivery company that also sells security services, said it fought back a 25 million packets per second DDoS attack and that many of the DNS queries held non-spoofed IP data. This stands in contrast to many other massive DDoS attacks of late, in particular reflection or amplification attacks, that rely on spoofed addresses to send massive quantities of bad traffic at a target. The Incapsula-mitigated attack was traced back to IP addresses belonging to a pair of DDoS protection services, which are designed for high-capacity traffic management, Incapsula said. Hackers can take advantage of this to pull off DDoS attacks without amplification. These latest attacks, meanwhile, continue a trend of volumetric DDoS attacks reaching new heights. A recent report from Arbor Networks said the provider has already tracked more than 70 DDoS attacks that topped 100 Gbps or more of malicious traffic. The largest on record reached between 325 Gbps and 400 Gbps of traffic. Almost all of these attacks rely on DNS reflection or a growing number on network time protocol amplification attacks. In both cases, IP addresses are spoofed as the target, and massive amounts of traffic is sent their way at no cost to the attacker. US-CERT issued an advisory in January warning companies that hackers were exploiting NTP vulnerabilities to flood networks with UDP traffic. NTP servers are publicly available machines used to synchronize computer clocks. With NTP amplification attacks, hackers exploit the MON_GETLIST feature in NTP servers, which returns the IP address of the last 600 machines interacting with an NTP server. Monlists are a classic set-and-forget feature and are vulnerable to hackers makingforged REQ_MON_GETLIST requests enabling traffic amplification. With DNS amplification attacks, attackers take advantage of any number of the 28 million open DNS resolvers on the Internet to launch large-scale DDoS attacks. The motivations are varied. Ideological hackers use them to take down services in protest, while profit-motivated criminals can use DDoS as a cover for intellectual property theft and financial fraud. Source
  12. UPDATE – UltraDNS said it has mitigated a distributed denial of service (DDoS) attack for most of its customers after the service was held down for most of the day. “Currently, only customers utilizing a segment of UltraDNS Name Server addresses are experiencing resolution latency due to intermittent network saturation in the Western US,” said Neustar director of product management, security solutions, Jim Fink in an email to Threatpost. “We continue to aggressively refine mitigations for these customers and hope to have the issue resolved shortly. We have been and will continue to provide regular updates to our UltraDNS customers via our usual customer notification process.” UltraDNS is a Neustar company. The SANS Institute’s Internet Storm Center said this afternoon that it received multiple reports of outages and DNS resolution issues, reportedly because of a 100 Gbps DDoS attack against one of UltraDNS’ customers that resulted in latency issues for others. “One reporting party did indicate that they learned that the management of UltraDNS had said that one of their customers was being attacked and that they black-holed that customer to get back on trend,” wrote ISC handler Russ McRee. “Resolver nodes around the world are resetting.” DDoS attacks the size of this one are quickly becoming the norm. A report from Arbor Networks this week said it has already tracked more than 70 DDoS attacks of 100 Gbps or more of bad traffic, topping out at 325 Gbps. The largest attacks on public record were recorded by traffic optimization and security provider CloudFlare Most volumetric attacks rely on some kind of amplification such as DNS reflection or Network Time Protocol amplification attacks where the requesting IP address is spoofed as the target’s and massive amounts of traffic is returned at relatively little cost to the attacker. With DNS amplification attacks, attackers take advantage of any number of the 28 million open DNS resolvers on the Internet to launch large-scale DDoS attacks. The motivations are varied. Ideological hackers use them to take down services in protest, while profit-motivated criminals can use DDoS as a cover for intellectual property theft and financial fraud. Beginning with the DDoS attacks against large U.S. banks early last year, the spike in these attacks merited a mention in the recent Verizon Data Breach Investigations Report. “We’re seeing a growing trend of combining DDoS with APT campaigns,” said Arbor Networks’ Gary Sockrider said. “Go back a few years, and DDOs was thought of more as a takedown mechanism, not for data exfiltration. Now we’re seeing it more frequently combined with APT, prolonged campaigns where an attacker is on your network and now need to get the data out, they’ll initiate a DDoS attack. It’s the equivalent of a natural disaster and while you’re dealing with it, that’s when they’ll exfiltrate data.” Source
  13. The way Facebook Notes handles HTML image tags could could give an attacker the ability to launch distributed denial of service attacks against external sources, using the power of the massive network to amplify the attack. Facebook Notes is a sort of Tumblr-like internal blogging feature built into the world’s largest social network. It lets users write, edit, and publish content in excess of Facebook’s 63,206 character limit imposed on status updates. Facebook lets users embed various HTML tags into their notes. However, the way that Facebook processes <img> tags could present serious problems for the sources and hosts of those images. Independent researcher Chaman Thapa wrote onhis personal blog earlier this week that whenever an <img> tag is used in Facebook Notes, the social network crawls the image from the external server where it is stored and caches the image. He explains that Facebook only caches each image once, but the cached version can be bypassed using random get parameters – essentially tricking Facebook into thinking that one image is multiple images and causing the service to crawl the source of that single image as many times as there are random get parameters targeting it. Thapa claims that bigger files, like PDFs or videos, could amplify the attack. Given enough get requests, this could create a denial-of-service condition for the server hosting the image file being crawled. With limited computing resources, Thapa managed to generate 900 Mbps of outgoing traffic by compelling Facebook to crawl a 13 MB PDF file. Thapa claims that 12 of Facebook’s servers attempted to fetch the PDF file some 180,000 times. Thapa reported the bug to Facebook. At first, he said, the company misunderstood the vulnerability, thinking it could only cause a 404 error, and that such an error did not constitute a high-impact bug. After some back and forth between Thapa and Facebook’s security team, the social network eventually conceded that the bug does in fact exist. They also told Thapa that his bug did not qualify for a bug bounty payment because they had no intention of fixing it: “In the end, the conclusion is that there’s no real way to fix this that would stop ‘attacks’ against small consumer grade sites without also significantly degrading the overall functionality,” Thapa cites Facebook as having said. “Unfortunately, so-called ‘won’t fix’ items aren’t eligible under the bug bounty program, so there won’t be a reward for this issue.” The representative did however offer the following consolation to Thapa: “I want to acknowledge, however, both that I think your proposed attack is interesting/creative and that you clearly put a lot of work into researching and reporting the issue last month. That IS appreciated and we do hope that you’ll continue to submit any future security issues you find to the Facebook bug bounty program.” Thapa says he reported the bug to Facebook on March 3. The above correspondence took place on April 11. A Facebook spokesperson confirmed Thapa’s account of events to Threatpost. “We appreciated this report and discussed it at some length. Ultimately, we decided against making changes to avoid disrupting intended and desirable functions,” the spokesperson said. Thapa wrote that he is unsure about why Facebook is choosing not to fix his bug. A source with technical understanding of bugs like this one explained to Threatpost that if a site were to receive large amounts of traffic in this manner, rate-limiting or disabling based on the user agent would be an effective defense. “I’m not sure why they are not fixing this,” Thapa wrote. “Supporting dynamic links in image tags could be a problem and I’m not a big fan of it. I think a manual upload would satisfy the need of users if they want to have dynamically generated image on the notes.” Source
  14. U.S. regulators are warning banks this week about a recent rash of “large dollar value” ATM fraud and the ongoing risks distributed denial of service (DDoS) attacks that target public bank websites can pose. Members of FFIEC, the Federal Financial Institutions Examination Council, an interagency sect of the U.S. government responsible for preparing banking standards and principles, issued the warnings in a statement yesterday. FFIEC claims attackers have been able to gain access to and alter the settings on web-based ATM control panels belonging to small to medium sized institutions. The campaign, nicknamed “Unlimited Operations” by the U.S. Secret Service, is allowing attackers to withdraw money beyond controlled limits on ATMs, oftentimes more than the victim’s cash balance. FFIEC’s warning describes how exactly the control panels figure into the ATMs: “These control panels, often web-based, manage the amount of money customers may withdraw within a set time frame, the geographic limitations of withdrawals, the types and frequency of fraud reports that its service provider sends to the financial institutions, the designated employee that receives these reports, and other management functions related to card security and internal controls,” Officials are claiming hackers used phishing attacks to secure legitimate employee log-ins to tweak these settings to carry out their attacks, including one that netted them $40 million with 12 debit card accounts. FFIEC also used the announcement as an opportunity to remind banks about the continued sophistication surrounding DDoS attacks – pointing out a string of attacks that affected institutions in 2012 and warning that they can be used as a “diversionary tactic,” granting hackers the time to root around systems. Naturally, FFIEC is encouraging banks to mitigate further risk by following standards already in place such as PCI-DSS and HSM when it comes to encrypting PINs. The agency is also encouraging banks if they haven’t already, to formulate some sort of DDoS readiness plan with a program that prioritizes and assesses risks in its critical systems. “The members expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks,” the joint statement reads. We first learned about “Unlimited Operations” last spring after eight members of the cybercrime ring were indicted in Brooklyn. Associates in at least 26 countries helped the crew cash out fake credit cards at 140 different ATMs to the tune of $45 million – $2.8 in NYC – in just shy of 24 hours. According to a federal indictment unsealed last year the money was later spent on kickbacks such as luxury cars and Rolex watches. Source
  15. The website for the United States National Security Agency suddenly went offline Friday. NSA.gov has been unavailable globally as of late Friday afternoon, and Twitter accounts belonging to people loosely affiliated with the Anonymous hacktivism movement have suggested they are responsible. Twitter users @AnonymousOwn3r and @TruthIzSexy both were quick to comment on the matter, and implied that a distributed denial-of-service attack, or DDoS, may have been waged as an act of protest against the NSA. Allegations that those users participated in the DDoS — a method of over-loading a website with too much traffic — are currently unverified, and @AnonymousOwn3r has previously taken credit for downing websites in a similar fashion, although those claims have been largely contested. The crippling of NSA.gov comes amid a series of damning national security documents that have been disclosed without authorization by former intelligence contractor Edward Snowden. The revelations in the leaked documents have impassioned people around the globe outraged by evidence of widespread surveillance operated by the NSA, and a massive “Stop Watching Us” rally is scheduled for Saturday in Washington, DC. DDoS attacks are illegal in the United States under the Computer Fraud and Abuse Act, or CFAA, and two cases are currently underway in California and Virginia in which federal judges are weighing in on instances in which members of Anonymous allegedly used the technique to take down an array of sites during anti-copyright campaigns waged by the group in 2010 and 2011. In those cases, so-called hacktivsits are reported to have conspired together to send immense loads of traffic to targeted websites, rendering them inaccessible due to the overload. Source: RT
  16. A 12 year old boy has pleaded guilty to three counts of hacking in a Canadian court on Thursday. The fifth grader, who was 11 at the time of the offences, aided Anonymous in DDOS attacks against government sites during the 2012 Quebec student protests. The boy contributed to the crashing of sites and acquired user and administrator information from database servers. He is also accused of defacing the front page of websites. The Toronto Sun reports one of the hacked sites was down for two days, causing over $60,000 in damage. A report is expected to detail the extent of the attacks on targets such as Montreal Police and the Chilean government next month. It is reported hackivist group Anonymous exchanged his hacking skills for video games. "It's easy to hack but do not go there too much, they will track you down," the Primary school student said. The 12 year old was among the several hackers arrested over the Anonymous protest. His lawyer says he saw it as a challenge and that “there was no political purpose.” The fifth grader is to be sentenced next month. source: neowin
  17. Orbital Decay: the dark side of a popular file downloading tool BY ARYEH GORETSKY POSTED 21 AUG 2013 AT 11:59AM [UPDATE: Popular file download site MajorGeeks has removed Orbit Downloader from their site. 2013-08-23 19:00 AG] Introduction Orbit Downloader by Innoshock is a popular file downloading add-on for web browsers, used not only to speed up the transfer of files over the Internet but also for its ability to download embedded videos from popular streaming video sites like YouTube. Figure 1 – Orbit Downloader Orbit Downloader has been around since at least 2006, and like many programs these days, is available for free. The developer, Innoshock, generates its revenue from bundled offers, such asOpenCandy, which is used to install third-party software as well as to display advertisements in order to generate revenue. This type of advertising arrangement is normal behavior these days and one of the things that ESET’s researchers regularly look at when determining whether or not a program is to be classified as a Potentially Unwanted Application (PUA). While that process is likewise fairly routine for ESET’s researchers, it is one which requires careful examination because the reasons for which programs may be classified as a PUA vary on a case-by-case basis. Criminals understand that computer users want to download files and streamed videos and have already begun to take advantage of the situation, as computer security researcher Graham Cluley noted in a post on his blog, “Is that YouTube Video Downloader browser plugin safe? Beware!“ What is unusual, though, is to see a popular utility containing additional code for performing Denial of Service (DoS) attacks, which is exactly what our threat researchers found during an otherwise routine examination of the Orbit Downloader software package. Given the age and the popularity of Orbit Downloader (it is listed as one of the top downloads in its category on several popular software web sites) this means that the program might be generating gigabits (or more) of network traffic, making it an effective tool for Distributed Denial of Service (DDoS) attacks. ESET identifies versions of Orbit Downloader containing this attack code as Win32/DDoS.Orbiter.A. Orbital Mechanics Sometime between the release of version (December 25, 2012) and version (January 10, 2013), an additional component was added to orbitdm.exe, the main executable module for Orbit Downloader. Here is what it does: When orbitdm.exe is run, it sends a HTTP GET request to Orbit Downloader’s server at. The server responds with two URLs containing further information: The first URL, named “url“, currently responds with the URL which points to the location of a Win32 PE DLL file that is silently downloaded by the software. So far, ESET’s researchers have seen more than a dozen different versions of this DLL file. The second URL, named “param“, initially responded with an URL oflanguage Several days ago, this switched to language For both URLs, the language variable was set to ENU for English, SKY for Slovak and so forth. The second URL, “param“, seems to generate a response via HTTP POST based on the language parameter sent to the server in Step 1. Most of the time the configuration files were not very interesting to look at, consisting of zero values such as: [update] begintime=00000000000000 endtime=00000000000000 We did, however, observe one interesting response that stood out: [update] url=http://www.kkk.com exclude= param=200 It is unclear to us why the Ku-Klux Clan’s web site was chosen, as no similar sites were seen during our monitoring. This may have simply been a test by the tool’s authors to verify it was working. This screenshot from a packet capture shows the HTTP GET requests from Orbit Downloader as it downloads the configuration file used to target the attack and the DLL used to perform them: Figure 2: example of HTTP GET requests Examination of the Win32 PE DLL by ESET’s researchers reveals an exported function with the nameSendHTTP which performs two actions: The first action is to download an obfuscated configuration file from containing a list of targets to attack. The second action is to perform the attack against the targets listed in the configuration file.Here is a screen shot showing one of the il.php configuration files: Figure 3: example of il.php file Once extracted, entries appear in the format of a URL, followed by an equal sign “=” and an IP address. Here are some entries from another il.php configuration file we examined: bbs1.tanglongs.com/2DClient_main.swf= tanglongs.com/static/script/jquery-1.7.1.min.js= The first portion of an entry, the URL, is the target of the DoS attack. The source IPs are randomly generated. In some instances, we downloaded blank il.php configuration files. This may have meant there were no current targets. Two types of attacks have been observed: If WinPcap is present, specially crafted TCP SYN packets are sent to the targeted machines on port 80, with random source IP addresses. This kind of denial of service attack is known as a SYN flood. It should be noted that WinPcap is a legitimate third-party tool bundled with many programs and is otherwise unrelated to this attack. If WinPcap is not present, TCP packets are sent containing an HTTP connection request on port 80 and UDP datagrams on port 53 to the targeted machines. These attacks, while basic, are effective due to their throughput: On a test computer in our lab with a gigabit Ethernet port, HTTP connection requests were sent at a rate of about 140,000 packets per second, with falsified source addresses largely appearing to come from IP ranges allocated to Vietnam. These blocks of IP addresses were hardcoded into the DLL file downloaded from ido.ipl, different ranges may have been used in the past, though, and could change in future versions of the DLL file. Orbit Eccentricity As mentioned above, the configuration file downloaded from Orbit Downloader’s server is encrypted to avoid casual examination. The first step is that files are encoded in base64, an encoding scheme most often used to send binary files as file attachments. After decoding, the data is then XORed with a fixed 32-character string. That 32-character string is actually the MD5 hash of a 9-character password that is hardcoded into the DLL file. After this operation, each pair of consecutive bytes areXORed together to generate a single byte of plaintext. While each download of the encrypted data from the server varies, the actual content, once converted to plaintext, has remained constant for considerably longer periods of time. Historical Orbits Looking through older versions of Orbit Downloader, it appears that the DoS functionality has been present for some time, if not actively used, in a program file named orbitnet.exe, and notorbitDM.exe like current version. Also, this older version downloaded its configuration file fromstatic.koramgame.com and not from the orbitdownloader.com domain. Curiously, the version of orbitnet.exe containing the DoS code (version does not appear to be bundled with any of the installation packages released by Orbit Downloader, although an older version,, appears to be distributed with the current version of Orbit Downloader, version, released May 2, 2013. Conclusion While we are just as puzzled as everyone else as to why this popular file downloading utility now contains remotely-updating DDoS functionality, we are taking action to protect ESET’s users from it. Beginning with virus signature database 8604, versions of Orbit Downloader with DoS functionality are detected by ESET’s software as Win32/DDoS.Orbiter.A. In the meantime, until Innoshock, the developer of Orbit Download explains this behavior and/or releases an updated version without this unwanted functionality, we recommend uninstalling this program and using a different file downloader. The following are the MD5 hashes of files analyzed in this article: 036b2f895fa1d64a1f1821ce9f61a56b 1896b319f5f5b101c028066c659c354e 1ce53a55317ae1f7eaef65b6241c66c8 28c22bac5621f058deb67ea9d7249de9 33544b3c3de8113847f8a676bbdf2db6 3988b798439e7d2deb03bb265cb9277a 3cbe133243e78e15445ad70fd33fc667 44d9dbe00e0396dbbac0efb3631bd8a1 809d5a4af232f08f88d315b116e47828 9e898210781061805844cc90cb77d3bd 9ef50486265891aff5542c3581934ab3 aaeb12d4b2498fb271d50fb31f4e1d5d bd80f4eec1246289d3d735d8d0c7a57e c21c7845b4f9510f9f18e4da284a5af5 d3a2438ee876a8780dfee73b8d266118 d8595fcc4ccbd7a742455ed30b156d69 e16366ee9ae1086bc86a719eaeebeb7b f76c4e8ebcc79aa16f4254ed219a2857 f99c2446ddaa5ee9ebaf2abbc70d4a94 I would like to thank my colleagues Daniel, David, Hugo, Jean-Ian, Peter and Pierre-Marc for their research and assistance with this article. Aryeh Goretsky, MVP, ZCSE Distinguished Researcher Author Aryeh Goretsky, We Live Security Source / Direct link to article
  • Create New...