Jump to content

Search the Community

Showing results for tags 'DDOS'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 5 results

  1. The website for the United States National Security Agency suddenly went offline Friday. NSA.gov has been unavailable globally as of late Friday afternoon, and Twitter accounts belonging to people loosely affiliated with the Anonymous hacktivism movement have suggested they are responsible. Twitter users @AnonymousOwn3r and @TruthIzSexy both were quick to comment on the matter, and implied that a distributed denial-of-service attack, or DDoS, may have been waged as an act of protest against the NSA. Allegations that those users participated in the DDoS — a method of over-loading a website with too much traffic — are currently unverified, and @AnonymousOwn3r has previously taken credit for downing websites in a similar fashion, although those claims have been largely contested. The crippling of NSA.gov comes amid a series of damning national security documents that have been disclosed without authorization by former intelligence contractor Edward Snowden. The revelations in the leaked documents have impassioned people around the globe outraged by evidence of widespread surveillance operated by the NSA, and a massive “Stop Watching Us” rally is scheduled for Saturday in Washington, DC. DDoS attacks are illegal in the United States under the Computer Fraud and Abuse Act, or CFAA, and two cases are currently underway in California and Virginia in which federal judges are weighing in on instances in which members of Anonymous allegedly used the technique to take down an array of sites during anti-copyright campaigns waged by the group in 2010 and 2011. In those cases, so-called hacktivsits are reported to have conspired together to send immense loads of traffic to targeted websites, rendering them inaccessible due to the overload. Source: RT
  2. A 12 year old boy has pleaded guilty to three counts of hacking in a Canadian court on Thursday. The fifth grader, who was 11 at the time of the offences, aided Anonymous in DDOS attacks against government sites during the 2012 Quebec student protests. The boy contributed to the crashing of sites and acquired user and administrator information from database servers. He is also accused of defacing the front page of websites. The Toronto Sun reports one of the hacked sites was down for two days, causing over $60,000 in damage. A report is expected to detail the extent of the attacks on targets such as Montreal Police and the Chilean government next month. It is reported hackivist group Anonymous exchanged his hacking skills for video games. "It's easy to hack but do not go there too much, they will track you down," the Primary school student said. The 12 year old was among the several hackers arrested over the Anonymous protest. His lawyer says he saw it as a challenge and that “there was no political purpose.” The fifth grader is to be sentenced next month. source: neowin
  3. Orbital Decay: the dark side of a popular file downloading tool BY ARYEH GORETSKY POSTED 21 AUG 2013 AT 11:59AM [UPDATE: Popular file download site MajorGeeks has removed Orbit Downloader from their site. 2013-08-23 19:00 AG] Introduction Orbit Downloader by Innoshock is a popular file downloading add-on for web browsers, used not only to speed up the transfer of files over the Internet but also for its ability to download embedded videos from popular streaming video sites like YouTube. Figure 1 – Orbit Downloader Orbit Downloader has been around since at least 2006, and like many programs these days, is available for free. The developer, Innoshock, generates its revenue from bundled offers, such asOpenCandy, which is used to install third-party software as well as to display advertisements in order to generate revenue. This type of advertising arrangement is normal behavior these days and one of the things that ESET’s researchers regularly look at when determining whether or not a program is to be classified as a Potentially Unwanted Application (PUA). While that process is likewise fairly routine for ESET’s researchers, it is one which requires careful examination because the reasons for which programs may be classified as a PUA vary on a case-by-case basis. Criminals understand that computer users want to download files and streamed videos and have already begun to take advantage of the situation, as computer security researcher Graham Cluley noted in a post on his blog, “Is that YouTube Video Downloader browser plugin safe? Beware!“ What is unusual, though, is to see a popular utility containing additional code for performing Denial of Service (DoS) attacks, which is exactly what our threat researchers found during an otherwise routine examination of the Orbit Downloader software package. Given the age and the popularity of Orbit Downloader (it is listed as one of the top downloads in its category on several popular software web sites) this means that the program might be generating gigabits (or more) of network traffic, making it an effective tool for Distributed Denial of Service (DDoS) attacks. ESET identifies versions of Orbit Downloader containing this attack code as Win32/DDoS.Orbiter.A. Orbital Mechanics Sometime between the release of version (December 25, 2012) and version (January 10, 2013), an additional component was added to orbitdm.exe, the main executable module for Orbit Downloader. Here is what it does: When orbitdm.exe is run, it sends a HTTP GET request to Orbit Downloader’s server at. The server responds with two URLs containing further information: The first URL, named “url“, currently responds with the URL which points to the location of a Win32 PE DLL file that is silently downloaded by the software. So far, ESET’s researchers have seen more than a dozen different versions of this DLL file. The second URL, named “param“, initially responded with an URL oflanguage Several days ago, this switched to language For both URLs, the language variable was set to ENU for English, SKY for Slovak and so forth. The second URL, “param“, seems to generate a response via HTTP POST based on the language parameter sent to the server in Step 1. Most of the time the configuration files were not very interesting to look at, consisting of zero values such as: [update] begintime=00000000000000 endtime=00000000000000 We did, however, observe one interesting response that stood out: [update] url=http://www.kkk.com exclude= param=200 It is unclear to us why the Ku-Klux Clan’s web site was chosen, as no similar sites were seen during our monitoring. This may have simply been a test by the tool’s authors to verify it was working. This screenshot from a packet capture shows the HTTP GET requests from Orbit Downloader as it downloads the configuration file used to target the attack and the DLL used to perform them: Figure 2: example of HTTP GET requests Examination of the Win32 PE DLL by ESET’s researchers reveals an exported function with the nameSendHTTP which performs two actions: The first action is to download an obfuscated configuration file from containing a list of targets to attack. The second action is to perform the attack against the targets listed in the configuration file.Here is a screen shot showing one of the il.php configuration files: Figure 3: example of il.php file Once extracted, entries appear in the format of a URL, followed by an equal sign “=” and an IP address. Here are some entries from another il.php configuration file we examined: bbs1.tanglongs.com/2DClient_main.swf= tanglongs.com/static/script/jquery-1.7.1.min.js= The first portion of an entry, the URL, is the target of the DoS attack. The source IPs are randomly generated. In some instances, we downloaded blank il.php configuration files. This may have meant there were no current targets. Two types of attacks have been observed: If WinPcap is present, specially crafted TCP SYN packets are sent to the targeted machines on port 80, with random source IP addresses. This kind of denial of service attack is known as a SYN flood. It should be noted that WinPcap is a legitimate third-party tool bundled with many programs and is otherwise unrelated to this attack. If WinPcap is not present, TCP packets are sent containing an HTTP connection request on port 80 and UDP datagrams on port 53 to the targeted machines. These attacks, while basic, are effective due to their throughput: On a test computer in our lab with a gigabit Ethernet port, HTTP connection requests were sent at a rate of about 140,000 packets per second, with falsified source addresses largely appearing to come from IP ranges allocated to Vietnam. These blocks of IP addresses were hardcoded into the DLL file downloaded from ido.ipl, different ranges may have been used in the past, though, and could change in future versions of the DLL file. Orbit Eccentricity As mentioned above, the configuration file downloaded from Orbit Downloader’s server is encrypted to avoid casual examination. The first step is that files are encoded in base64, an encoding scheme most often used to send binary files as file attachments. After decoding, the data is then XORed with a fixed 32-character string. That 32-character string is actually the MD5 hash of a 9-character password that is hardcoded into the DLL file. After this operation, each pair of consecutive bytes areXORed together to generate a single byte of plaintext. While each download of the encrypted data from the server varies, the actual content, once converted to plaintext, has remained constant for considerably longer periods of time. Historical Orbits Looking through older versions of Orbit Downloader, it appears that the DoS functionality has been present for some time, if not actively used, in a program file named orbitnet.exe, and notorbitDM.exe like current version. Also, this older version downloaded its configuration file fromstatic.koramgame.com and not from the orbitdownloader.com domain. Curiously, the version of orbitnet.exe containing the DoS code (version does not appear to be bundled with any of the installation packages released by Orbit Downloader, although an older version,, appears to be distributed with the current version of Orbit Downloader, version, released May 2, 2013. Conclusion While we are just as puzzled as everyone else as to why this popular file downloading utility now contains remotely-updating DDoS functionality, we are taking action to protect ESET’s users from it. Beginning with virus signature database 8604, versions of Orbit Downloader with DoS functionality are detected by ESET’s software as Win32/DDoS.Orbiter.A. In the meantime, until Innoshock, the developer of Orbit Download explains this behavior and/or releases an updated version without this unwanted functionality, we recommend uninstalling this program and using a different file downloader. The following are the MD5 hashes of files analyzed in this article: 036b2f895fa1d64a1f1821ce9f61a56b 1896b319f5f5b101c028066c659c354e 1ce53a55317ae1f7eaef65b6241c66c8 28c22bac5621f058deb67ea9d7249de9 33544b3c3de8113847f8a676bbdf2db6 3988b798439e7d2deb03bb265cb9277a 3cbe133243e78e15445ad70fd33fc667 44d9dbe00e0396dbbac0efb3631bd8a1 809d5a4af232f08f88d315b116e47828 9e898210781061805844cc90cb77d3bd 9ef50486265891aff5542c3581934ab3 aaeb12d4b2498fb271d50fb31f4e1d5d bd80f4eec1246289d3d735d8d0c7a57e c21c7845b4f9510f9f18e4da284a5af5 d3a2438ee876a8780dfee73b8d266118 d8595fcc4ccbd7a742455ed30b156d69 e16366ee9ae1086bc86a719eaeebeb7b f76c4e8ebcc79aa16f4254ed219a2857 f99c2446ddaa5ee9ebaf2abbc70d4a94 I would like to thank my colleagues Daniel, David, Hugo, Jean-Ian, Peter and Pierre-Marc for their research and assistance with this article. Aryeh Goretsky, MVP, ZCSE Distinguished Researcher Author Aryeh Goretsky, We Live Security Source / Direct link to article
  4. The way Facebook Notes handles HTML image tags could could give an attacker the ability to launch distributed denial of service attacks against external sources, using the power of the massive network to amplify the attack. Facebook Notes is a sort of Tumblr-like internal blogging feature built into the world’s largest social network. It lets users write, edit, and publish content in excess of Facebook’s 63,206 character limit imposed on status updates. Facebook lets users embed various HTML tags into their notes. However, the way that Facebook processes <img> tags could present serious problems for the sources and hosts of those images. Independent researcher Chaman Thapa wrote onhis personal blog earlier this week that whenever an <img> tag is used in Facebook Notes, the social network crawls the image from the external server where it is stored and caches the image. He explains that Facebook only caches each image once, but the cached version can be bypassed using random get parameters – essentially tricking Facebook into thinking that one image is multiple images and causing the service to crawl the source of that single image as many times as there are random get parameters targeting it. Thapa claims that bigger files, like PDFs or videos, could amplify the attack. Given enough get requests, this could create a denial-of-service condition for the server hosting the image file being crawled. With limited computing resources, Thapa managed to generate 900 Mbps of outgoing traffic by compelling Facebook to crawl a 13 MB PDF file. Thapa claims that 12 of Facebook’s servers attempted to fetch the PDF file some 180,000 times. Thapa reported the bug to Facebook. At first, he said, the company misunderstood the vulnerability, thinking it could only cause a 404 error, and that such an error did not constitute a high-impact bug. After some back and forth between Thapa and Facebook’s security team, the social network eventually conceded that the bug does in fact exist. They also told Thapa that his bug did not qualify for a bug bounty payment because they had no intention of fixing it: “In the end, the conclusion is that there’s no real way to fix this that would stop ‘attacks’ against small consumer grade sites without also significantly degrading the overall functionality,” Thapa cites Facebook as having said. “Unfortunately, so-called ‘won’t fix’ items aren’t eligible under the bug bounty program, so there won’t be a reward for this issue.” The representative did however offer the following consolation to Thapa: “I want to acknowledge, however, both that I think your proposed attack is interesting/creative and that you clearly put a lot of work into researching and reporting the issue last month. That IS appreciated and we do hope that you’ll continue to submit any future security issues you find to the Facebook bug bounty program.” Thapa says he reported the bug to Facebook on March 3. The above correspondence took place on April 11. A Facebook spokesperson confirmed Thapa’s account of events to Threatpost. “We appreciated this report and discussed it at some length. Ultimately, we decided against making changes to avoid disrupting intended and desirable functions,” the spokesperson said. Thapa wrote that he is unsure about why Facebook is choosing not to fix his bug. A source with technical understanding of bugs like this one explained to Threatpost that if a site were to receive large amounts of traffic in this manner, rate-limiting or disabling based on the user agent would be an effective defense. “I’m not sure why they are not fixing this,” Thapa wrote. “Supporting dynamic links in image tags could be a problem and I’m not a big fan of it. I think a manual upload would satisfy the need of users if they want to have dynamically generated image on the notes.” Source
  5. PointDNS says most of its DNS servers are online again after a massive DDoS attack late last week took down the service provider. A post on the company’s Twitter account on Friday said the provider was adding nameservers and working with network providers to restore service to its customers. Many of those same customers took to social media complaining about downtime and unavailability of their own websites and services. According to its website, PointDNS services more than 220,000 domains worldwide. Earlier today, a post from parent company Copper.io said services were “back to normal.” This was the second large attack against a DNS provider in the last two weeks. On April 30,UltraDNA mitigated a DDoS attack that kept most of its customers offline for the better part of a day. The SANS Institute’s Internet Storm Center said the attack peaked at 100 Gbps against one of UltraDNS’ customers. The attack resulted in latency issues for other UltraDNS customers. Last week, Incapsula, a cloud-based application delivery company that also sells security services, said it fought back a 25 million packets per second DDoS attack and that many of the DNS queries held non-spoofed IP data. This stands in contrast to many other massive DDoS attacks of late, in particular reflection or amplification attacks, that rely on spoofed addresses to send massive quantities of bad traffic at a target. The Incapsula-mitigated attack was traced back to IP addresses belonging to a pair of DDoS protection services, which are designed for high-capacity traffic management, Incapsula said. Hackers can take advantage of this to pull off DDoS attacks without amplification. These latest attacks, meanwhile, continue a trend of volumetric DDoS attacks reaching new heights. A recent report from Arbor Networks said the provider has already tracked more than 70 DDoS attacks that topped 100 Gbps or more of malicious traffic. The largest on record reached between 325 Gbps and 400 Gbps of traffic. Almost all of these attacks rely on DNS reflection or a growing number on network time protocol amplification attacks. In both cases, IP addresses are spoofed as the target, and massive amounts of traffic is sent their way at no cost to the attacker. US-CERT issued an advisory in January warning companies that hackers were exploiting NTP vulnerabilities to flood networks with UDP traffic. NTP servers are publicly available machines used to synchronize computer clocks. With NTP amplification attacks, hackers exploit the MON_GETLIST feature in NTP servers, which returns the IP address of the last 600 machines interacting with an NTP server. Monlists are a classic set-and-forget feature and are vulnerable to hackers makingforged REQ_MON_GETLIST requests enabling traffic amplification. With DNS amplification attacks, attackers take advantage of any number of the 28 million open DNS resolvers on the Internet to launch large-scale DDoS attacks. The motivations are varied. Ideological hackers use them to take down services in protest, while profit-motivated criminals can use DDoS as a cover for intellectual property theft and financial fraud. Source
  • Create New...