Jump to content

Search the Community

Showing results for tags 'ddos attacks'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 11 results

  1. ~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet Enlarge Criminals are upping the potency of distributed denial-of-service attacks with a technique that abuses a widely used Internet protocol that drastically increases the amount of junk traffic directed at targeted servers. DDoSes are attacks that flood a website or server with more data than it can handle. The result is a denial of service to people trying to connect to the service. As DDoS-mitigation services develop protections that allow targets to withstand ever-larger torrents of traffic, the criminals respond with new ways to make the most of their limited bandwidth. Getting amped up In so-called amplification attacks, DDoSers send requests of relatively small data sizes to certain types of intermediary servers. The intermediaries then send the targets responses that are tens, hundreds, or thousands of times bigger. The redirection works because the requests replace the IP address of the attacker with the address of the server being targeted. Other well-known amplification vectors include the memcached database caching system with an amplification factor of an astounding 51,000, the Network Time Protocol with a factor of 58, and misconfigured DNS servers with a factor of 50. DDoS mitigation provider Netscout said on Wednesday that it has observed DDoS-for-hire services adopting a new amplification vector. The vector is the Datagram Transport Layer Security, or D/TLS, which (as its name suggests) is essentially the Transport Layer Security for UDP data packets. Just as TLS prevents eavesdropping, tampering, or forgery of TLS packets, D/TLS does the same for UDP data. DDoSes that abuse D/TLS allow attackers to amplify their attacks by a factor of 37. Previously, Netscout saw only advanced attackers using dedicated DDoS infrastructure abusing the vector. Now, so-called booter and stressor services—which use commodity equipment to provide for-hire attacks—have adopted the technique. The company has identified almost 4,300 publicly reachable D/LTS servers that are susceptible to the abuse. The biggest D/TLS-based attacks Netscout has observed delivered about 45Gbps of traffic. The people responsible for the attack combined it with other amplification vectors to achieve a combined size of about 207Gbps. Skilled attackers with their own attack infrastructure typically discover, rediscover, or improve amplification vectors and then use them against specific targets. Eventually, word will leak into the underground through forums of the new technique. Booter/stressor services then do research and reverse-engineering to add it to their repertoire. Challenging to mitigate The observed attack “consists of two or more individual vectors, orchestrated in such a manner that the target is pummeled via the vectors in question simultaneously,” Netscout Threat Intelligence Manager Richard Hummel and the company’s principal engineer, Roland Dobbins, wrote in an email. “These multi-vector attacks are the online equivalent of a combined-arms attack, and the idea is to both overwhelm the defenders in terms of both attack volume as well as present a more challenging mitigation scenario.” The 4,300 abusable D/TLS servers are the result of misconfigurations or outdated software that causes an anti-spoofing mechanism to be disabled. While the mechanism is built in to the D/TLS specification, hardware including the Citrix Netscaller Application Delivery Controller didn’t always turn it on by default. Citrix has more recently encouraged customers to upgrade to a software version that uses anti-spoofing by default. Besides posing a threat to devices on the Internet at large, abusable D/TLS servers also put organizations using them at risk. Attacks that bounce traffic off one of these machines can create full or partial interruption of mission-critical remote-access services inside the organization’s network. Attacks can also cause other service disruptions. Netscout’s Hummel and Dobbins said that the attacks can be challenging to mitigate because the size of the payload in a D/TLS request is too big to fit in a single UDP packet and is, therefore, split into an initial and non-initial packet stream. “When large UDP packets are fragmented, the initial fragments contain source and destination port numbers,” they wrote. “Non-initial fragments do not; so, when mitigating a UDP reflection/amplification vector which consists of fragmented packets, such as DNS or CLDAP reflection/amplification, defenders should ensure that the mitigation techniques they employ can filter out both the initial and non-initial fragments of the DDoS attack traffic in question, without overclocking legitimate UDP non-initial fragments.” Netscout has additional recommendations here. Source: ~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet
  2. All the organizations that contacted security provider Radware after receiving an extortion letter were hit by Distributed Denial of Service attacks. Traditionally, cybercriminals who deal in ransomware will capture and encrypt sensitive data and then demand payment to decrypt it. But attackers also use other types of threats to try to elicit money from a victimized organization. In a new campaign analyzed by Radware, cybercriminals threaten organizations with Distributed Denial of Service (DDoS) attacks unless they acquiesce to their ransom demands. Published on Wednesday, a security alert entitled "2020 Ransom DDoS Campaign Update" describes how Radware and the FBI have been warning organizations about a global ransomware DDoS campaign targeting financial companies and other businesses around the world. In this campaign, organizations receive extortion messages from criminal groups going by the names "Fancy Bear," "Armada Collective," and "Lazarus Group." The letters warn the recipient that their network will be subjected to a DDoS attack in another week. On the date the message is sent, the targeted organization is actually hit by a small attack referred to in the letter as proof that the criminals have the ability to carry out on their threat. The group promises not to launch any further attacks if the victim pays the ransom, which starts out at 20 bitcoins (around $230,000) but then jumps by 10 bitcoins each day the money isn't paid. If payment is not received by a specified deadline, the attackers give the targeted organization a "second chance to reconsider before going down for good." If there's still no payment, then the groups vow to launch extremely powerful DDoS attacks that peak at over two terabits per second. "This means that your websites and other connected services will be unavailable for everyone," the criminals threaten in their letter. "Please also note that this will severely damage your reputation among your customers who use online services." The three different groups have different targets, according to Radware. Lazarus Group is the name used when the target is a financial organization. Also known as "APT38," or "BeagleBoyz" by the Department of Homeland's Cybersecurity and Infrastructure Security Agency (CISA), Lazarus is believed to have close ties with the North Korean government. This group doesn't typically rely on DDoS as an attack vector, preferring to use malware frameworks and compromised payment networks and servers. Fancy Bear is the group name used for targeting companies in the technology and manufacturing sectors. Also known as "APT28" or "Sofacy Group," Fancy bear is a Russian cyber espionage group reported to be closely tied to the Russian military intelligence agency GRU, which is sponsored by the Russian government. Rather than seeking financial gain, this group tends to target only organizations that are associated with government or political agencies looking to spread political influence or chaos, Radware said. The extortion letters from Armada Collective have used different language than the ones sent from Lazarus Group and Fancy Bear. These letters have all been consistent in their use of English (even polite by using the word "please"). The letters have also improved in quality since the start by correcting a few typos and rephrasing certain sentences for better clarity. What to do if you're a victim The threat is real. All of the organizations that contacted Radware upon receiving one of the extortion letters were the recipients of follow-up attacks, as promised by the criminal groups. Based on the size and scope of the victimized organization, the attacks have ranged from a couple of gigabits per second to hundreds of gigabits pers second, in some cases going as high as 300 Gbps. Though not as severe as the threatened 2 Tbps attack, the ones carried out still proved devastating for many organizations. However, Radware advises targeted organizations not to pay the ransom, at least not if they have proper DDoS protection. Organizations that lack the necessary protection should find a reliable partner or vendor to help shore up your defenses so that any follow-up attacks don't disrupt your business. Effective protection Further, Radware offers a few recommendations on how to protect your organization from DDoS attacks. Hybrid DDoS protection. On-premise and cloud DDoS protection for real-time DDoS attack prevention also addresses high volume attacks and protects from pipe saturation. Behavioral-based detection. This detection can quickly and accurately identify and block anomalies while allowing legitimate traffic through. Real-time signature creation. This can promptly protect you from unknown threats and zero-day attacks. Cybersecurity emergency response plan. Such a plan entails having a dedicated emergency team of experts who possess the experience with Internet of Things security and can handle IoT outbreaks. Intelligence on active threat actors. This provides high fidelity, correlated, and analyzed data for preemptive protection against currently active known attackers. Source
  3. ‘DDoS-For-Hire’ Is Fueling a New Wave of Attacks Turf wars are heating up over the routers that fuel distributed denial of service attacks—and cybermercenaries are running rampant. Photograph: Getty Images If someone wants to disrupt a website or online service—or take it down altogether—a popular method is to wallop it with a massive flood of junk traffic or bogus requests. These so-called distributed denial of service attacks have for years been a fact of life on the internet. But a recent spate of major campaigns has raised the specter of DDoS mercenaries increasingly targeting attacks at the behest of the highest bidder. On Wednesday, the cybersecurity firm Trend Micro is releasing findings about escalating global turf wars between attacker groups vying to seize control of vulnerable routers and other devices. Their aim: to power botnets that can direct a firehose of malign traffic or requests for DDoS attacks. Such territory disputes are a hallmark of botnets, but attackers seem increasingly motivated grow their zombie armies not for their own purposes, but in service of more professionalized—and profitable—"DDoS for hire" schemes. "Four or five years ago attackers were just compromising as many routers as they could," says Robert McArdle, director of forward-looking threat research at Trend Micro. "If they could get 1,000 they were happy, if they could get 10,000 they were happier. Now when you start thinking of it as a business those are growth numbers. They're thinking more corporate. It's a key change." One challenge of DDoS research is getting insight into specific numbers of IoT devices infected with botnet malware. Unlike, says, Windows computers, most consumer-grade IoT devices like routers don't run any type of monitoring software that provide visibility. Even more kitted out enterprise networks don't always extend their protections to every IoT device, leaving some exposed to attack. In general, though, DDoS activity appears to have been steady the first months of 2020. From November 11, 2019 to March 11 of this year, network performance company Netscout observed an average of about 735,000 DDoS attacks per month. But from March 11 to April 11th of 2020, the group observed more than 864,000 attacks, the largest number Netscout has ever seen in a 31-day period by 17 percent. Those attacks are noteworthy not only for their frequency but their size, measured in terabits-per-second or packets-per-second. Amazon Web Services said in a recent report that it successfully thwarted an impressive three-day attack in mid-February against one of its customers that peaked at 2.3 terabits-per-second—44 percent larger than any similar DDoS attack previously detected on AWS's infrastructure. The internet infrastructure firms Akamai and Cloudflare both fended off attacks between June 18 and June 21 that peaked at 754 million packets-per-second for Cloudflare and a record 809 million packets-per-second for Akamai. Though the motivation for these two attacks is unknown, both firms say that they didn't see evidence that the assaults were extortion attempts—a monetization strategy DDoSers sometimes tried during the 2010s. This could mean that the attacks were ideologically motivated, and even that they came from DDoS-for-hire services. Regardless of their origin, the TrendMicro researchers say that DDoS-for-hire more broadly is escalating, and that attackers are going to greater and greater lengths to break into consumer routers for more DDoS firepower. "It's not so much that attackers have upgraded the botnet source code that's out there, it's that now they’ve figured out the way to monetize these attacks," says David Sancho, a senior threat researcher at Trend Micro. "And the price of entry is so, so low that it's driving more and more attacks." In addition to happening within days of each other, both the Akamai and Cloudflare attack focused on overwhelming applications and networking hardware with a deluge of network communication data packets. This type of DDoS attack doesn't involve sending a huge amount of junk data; Cloudflare said the attack it dealt with hit 250 gigabits-per-second, far from a noteworthy attack in that respect. But the unusually high packet rate common across both attacks can be just as devastating—what Cloudflare calls "a swarm of millions of mosquitoes that you need to zap one by one." "Over 50 percent of that 809 million packets-per-second was coming from enterprise-level DVRs," says Roger Barranco, Akamai's vice president of global security operations. "What’s new is the concept of campaigns. We go back a couple of years and 'attack' was the right word to use. There were many attacks every single day, but they weren’t in my opinion campaign-oriented. Some of our more recent ones are campaign-oriented where the attacker is working in a coordinated way over an extended period of time." Enterprise DVRs, which are typically used to record security camera footage, are the type of device that could easily be ignored by corporate IT defenses more focused on critical components like high-end routers and firewalls. And the Trend Micro researchers say that while they are particularly focused on raising awareness about the long tail of dealing with unprotected consumer routers, DDoS groups that are more organized and professional than ever will capitalize on whatever vulnerable devices they can find. "Right now they’re going for the very, very easy targets," Trend Micro's Sancho says. "What I think is most likely is that they’re going to develop more and better business plans to make money off of those infected routers and monetize those. Then we’ll see even more people trying to attack, which will exacerbate the whole problem." As DDoS-for-hire becomes more and more profitable, particularly because of a surge of customers in the online gaming world, attackers will continue to feud over the finite number of vulnerable devices they can pull into their botnets. The key for potential targets is to prepare for any type of DDoS attack that comes along, and to avoid being lulled into complacency by the unrelenting patter. "If you think about email spam it’s still out there, but we’re really not troubled by it as much, because it all goes into the spam folder," says John Graham-Cumming, Cloudflare's chief technology officer. "The same is true of DDoS. If you have a DDoS defense service, ours and others, we’ll filter out DDoSes that are happening all the time. Handling them, particularly attacks that are large in packets-per-second, is interesting from our perspective, but it's just another attack. There's never a lull." ‘DDoS-For-Hire’ Is Fueling a New Wave of Attacks
  4. Two record DDoSes disclosed this week underscore their growing menace More bots + better DDoS traps = ever-growing amounts of junk traffic. Enlarge Aurich Lawson / Getty 18 with 16 posters participating, including story author Distributed denial-of-service attacks—those floods of junk traffic that criminals use to disrupt or completely take down websites and services—have long been an Internet scourge, with events that regularly cripple news outlets and software repositories and in some cases bring huge parts on the Internet to a standstill for hours. Now there’s evidence that DDoSes, as they’re usually called, are growing more potent with two record-breaking attacks coming to light in the past week. DDoS operators hack thousands, hundreds of thousands, and in some cases millions of Internet-connected devices and harness their bandwidth and processing power. The attackers use these ill-gotten resources to bombard sites with torrents of data packets with the goal of taking the targets down. More advanced attackers magnify their firepower by bouncing the malicious traffic off of third-party services that in some cases can amplify it by a factor of 51,000, a feat that, at least theoretically, allows a single home computer with a 100 megabit-per-second upload capacity to deliver a once-unimaginable 5 terabits per second of traffic. These types of DDoSes are known as volumetric attacks. The objective is to use machines distributed across the Internet to send orders of magnitude more traffic volume to a circuit than it can handle. A second class—known as packet-per-second focused attacks—forces machines to bombard network gear or applications inside the target’s data center with more data packets than they can process. The objective in both types of attacks is the same. With network or processing capacity fully consumed, legitimate users can no longer access the target’s resources, resulting in a denial of service. Hugely disproportionate negative impacts DDoS attacks over the past two decades have grown increasingly powerful. The ones that a 15-year-old Canadian used in 2000 to take down Yahoo ETrade and Buy.com measured in the hundreds of megabits per second, roughly comparable to many of today’s home broadband connections but enough to clog the sites’ pipelines with enough traffic to completely block legitimate connections. By 2011, attackers had increased DDoSes to the tens of gigabits per second. Record attacks reached 300Gbps, 1.1 terabits per second, and 1.7Tbps in 2013, 2016, and 2018 respectively. While less common, packet-per-second attacks have followed a similar upward trajectory. The race upward is showing no signs of slowing. Last week, Amazon reported that its AWS Shield DDoS mitigation service went head-to-head with a 2.3 Tbps attack, a 35-percent increase over the 2018 record. Meanwhile, network provider Akamai said on Thursday that its Prolexic service repelled a DDoS that generated 809 million packets per second. That’s a 35-percent increase over what’s believed to be the previous high-water mark of the 600Mpps DDoS that Roland Dobbins, principal engineer at competing mitigation service Netscout Arbor, said his company handled. “We anticipate continued innovation in the area of DDoS attack vectors due to the various financial, ideological, and social motivations of attackers,” Dobbins told me. “DDoS attacks allow attackers to have a hugely disproportionate negative impact on both the intended targets of attacks, as well as uninvolved bystanders.” The attack, which Akamai said hit an unnamed European bank, was notable for how quickly it ramped up. As the image below illustrates, attackers needed less than three minutes to unleash its peak of 809 Mpps. Enlarge Akamai Amplifying firepower One of the more recent innovations DDoSers have hit upon is exploiting misconfigured servers running CLDAP, short for Connectionless Lightweight Directory Access Protocol. A Microsoft derivation of the LDAP standard, the mechanism uses User Datagram Protocol packets to query and retrieve data from Microsoft servers. While CLDAP should be available only from inside a network, Dobbins said that Netscout has identified some 330,000 servers that have the mechanism exposed to the Internet at large. Attackers have seized on this mass blunder. By sending the misconfigured servers CLDAP requests with spoofed IP addresses, the servers unwittingly bombard targets with responses that are 50 or more times bigger. “It’s frequently administrative sloppiness that allows this attack to exist,” Roger Barranco, vice president of global security operations at Akamai, said. He added that locking down network ports such as 389 and installing patches will generally prevent a server from being abused this way. In the past, DDoSers abused servers running other widely used protocols that had been misconfigured. When not set up correctly, memcached, a database caching system for speeding up websites and networks, can amplify DDoSes by an unthinkable factor of 51,000, an innovation that powered the 2018 record of 1.7Tbps. Four years earlier, attackers abused the Network Time Protocol that servers rely on to keep clocks synchronized across the Internet. The technique, which magnifies junk traffic by about 19 fold, led to the 2014 DDoses that took down servers for League of Legends, EA.com, and other online game services. Usually, when misconfigurations of widely used protocols or services are abused en masse, Internet watchdogs will push administrators to clean them up. When admins finally do, attackers find new ways to increase their firepower. The cycle continues. A growth in bots threatens gamers, banks, and you Besides seizing on amplification methods, the growing size of DDoSes is the result of attackers taking control of an ever-growing number of devices. Whereas Windows and later Linux computers were once the sole dominion of botnets that sent targets junk traffic, the mushrooming number of routers, Internet-connected cameras, and other so-called Internet of things devices have now become active participants as well. In Thursday’s report, Akamai said that 96 percent of the IP addresses used to deliver the record 809 million packets-per-second DDoS over the weekend had never been observed before. The growing number of compromised IoT devices is likely fueling that increase. Among the most common DDoS targets are online game players and the companies, platforms, and broadband ISPs they use. Rivalries between gamers are one motivation. Another objective is to disrupt the flow of large amounts of money that’s often wagered in gaming. Financial institutions, government agencies, political advocacy organizations, and retailers are also frequent marks, often by hacktivists motivated by ideology. DDoSers sometimes strike so they can demand ransoms to stop the attacks. Other times, DDoSers attack out of plain meanness. The intended targets aren’t the only ones who suffer the adverse effects of DDoSes. Once-unimaginable data storms can overwhelm ISP peering connections, DNS servers, and other infrastructure that everyday people and businesses rely on to shop, send email, and do other important tasks. “The collateral damage footprint of DDoS attacks is often far larger than the impact on the intended targets,” Dobbins said. “Suffice it to say that far more uninvolved people and organizations often have their activities disrupted by the collateral damage of DDoS attacks than those who are the actual targets of these attacks.” Two record DDoSes disclosed this week underscore their growing menace
  5. Researchers have found that the HTML feature called hyperlink auditing, or pings, is being used to perform DDoS attacks against various sites. This feature is normally used by sites to track link clicks, but is now found to be abused by attackers to send a massive amount of web requests to sites in order to take them offline. For those who are unfamiliar with hyperlink auditing, it is an HTML feature that allows sites to track clicks on links. To create a hyperlink auditing URL, or ping, you can simply create a normal hyperlink HTML tag, but also include a ping="" variable as shown below. Ping HTML Link In the above example, when the user clicks on the link, their browser will first connect to https://www.bleepingcomputer.com/pong.php with a POST request and then direct the browser to Google. This causes your browser to connect to two different sites when you click on a single link. The web page that receives the ping, can them examine the POST request headers to see what page the click original on (Ping-From header) and what page the link was going to (Ping-To header). While not as common as JS and redirect tracking, this feature is used in the Google search results in order for Google to track clicks on their links. Pings abused to perform DDoS attacks In new research by Imperva, researchers have found that HTML pings are being utilized by attackers to perform distributed denial of services attacks on various sites. This attack was conducted mainly by users from China and almost all of the attackers were mobile users utilizing QQBrowser. Over the course of this attack, Imperva detected 4,000 IP addresses involved in sending approximately 70 million requests in four hours. A peak 7,500 Requests per Second (RPS) Strangely, all of the PING requests that Imperva observed showed that both the Ping-To and the Ping-Fromt header values were from http://booc.gz.bcebos[.]com/yo.js?version=cc000001. This is a strange as usually the link URL is different from the URL where the link was clicked. When examining the you.html page from the Ping-To and Ping-From headers, Imperva was able to understand what was happening. The you.html page, shown below, loads two JS files that would perform the HTML ping DDoS attacks. The ou.js file, contained an array of sites that were targeted for the DDoS attack. Imperva has told BleepingComputer that most of the sites being targeted were for gaming companies. The yo.js script, would randomly select one of the above sites and create a HTML ping URL with that site as the ping target. It would then programmatically click on the link as shown by the link.click() command. The JavaScript would then create a new HTML ping URL and click every second. So the long a user was on this page, the most clicks they would generate. Imperva's theory is that the attackers used social engineering and malvertising to direct users to pages hosting these scripts. We noticed that the User-Agent in the requests is associated with the popular Chinese chat app, WeChat. WeChat uses a default mobile browser to open links in messages. As QQBrowser is very popular in China, many users pick it as a default browser for their smartphone. Our theory is that social engineering combined with malvertising (malicious advertising) that tricked unsuspecting WeChat users into opening the browser. Here’s one possible scenario: The attacker injects malicious advertising that loads a suspected website Link to the legitimate website with the malicious ad in an iframe is posted to a large WeChat group chat Legitimate users visit the website with the malicious ad JavaScript code executes, creating a link with the “ping” attribute that the user clicks on An HTTP ping request is generated and sent to the target domain from the legitimate user’s browser The good news is that it is currently easy to prevent most browsers from being utilized in hyperlink auditing ping attacks as described above. This is by disabling hyperlink auditing in your browser. The bad part is that almost all browsers, except for Firefox and Brave, will soon have this feature enabled by default without any way of disabling it. Browsers will soon prevent you from disabling HTML pings Browsers such as Chrome, Edge, Safari, and Opera enable hyperlink auditing by default and most allow you to disable it. As we reported last weekend, future versions of these browsers will no longer allow users to disable hyperlink auditing at all. The inability to disable hyperlink auditing is not only a privacy risk and a cause for concern by many, but this new research shows that it is far worse than originally understood. Now that we know this feature is being utilized in distributed attacks, it is more important than ever for users to have the ability to disable this feature. Currently, the only browsers that disable hyperlink auditing by default and continue to provide ways to disable it are Firefox and Brave. Source
  6. Security researchers warn that the WS-Discovery protocol is currently being abused for massive DDoS attacks. Security researchers are sounding the alarm about the Web Services Dynamic Discovery (WS-DD, WSD, or WS-Discovery) protocol, which they say can be abused to launch pretty massive DDoS attacks. What is WS-Discovery WS-Discovery is a multicast protocol that can be used on local networks to "discover" other nearby devices that communicate via a particular protocol or interface. Most notably, the protocol is used to support inter-device discovery and communications via the SOAP messaging format, using UDP packets -- hence why it's sometimes referred to as SOAP-over-UDP. WS-Discovery is not a common or well-known protocol, but it's been adopted by ONVIF, an industry group that promotes standardized interfaces for interoperability of networked products. ONVIF members include Axis, Sony, Bosch, and others, who use ONVIF standards as the basis for their products. Since the mid-2010s, the group's standard has recommended the WS-Discovery protocol for device discovery as part of plug-and-play interoperability [page 9]. As part of this sustained standardization effort, the protocol has made it into a slew of products that include anything from IP cameras to printers, and from home appliances to DVRs. Currently, according to internet search engine BinaryEdge, there are now nearly 630,000 ONVIF-based devices that support the WS-Discovery protocol and are ripe for abuse. WS-Discovery DDoS attacks can reach massive outputs There are multiple reasons why the WS-Discovery protocol is so ideal for DDoS attacks. First off, it's an UDP-based protocol, meaning the packet destination can be spoofed. An attacker can send a UDP packet to a device's WS-Discovery service with a forged return IP address. When the device sends back a reply, it will send it to the forged IP address, allowing attackers to bounce traffic on WS-Discovery devices, and aim it at the desired target of their DDoS attacks. Second, the WS-Discovery response is many times larger than the initial input. This allows attackers to send an initial packet to a WS-Discover device, which bounces the response to a DDoS attack victim at multiple times its initial size. This is what security researchers call a DDoS amplification factor, and this allows attackers with access to limited resources to launch massive DDoS attacks by amplifying junk traffic on vulnerable devices. In the case of WS-Discovery, the protocol has been observed in real-world DDoS attacks with amplification factors of up to 300, and even 500. This is a gigantic amplification factor, taking into account that most other UDP protocols have similar factors of up to 10, on average. The good news is that there have been very few WS-Discovery DDoS attacks with amplification factors of 300 or 500, which appear to be the oddity, rather than the norm. According to ZeroBS GmbH, a cyber-security firm that's been tracking the recent wave of WS-Discovery DDoS attacks that have taken place this month, a more common amplification factor was a normal one of up to 10. Nonetheless, a proof-of-concept script for launching WS-Discovery DDoS attacks published on GitHub in late 2018 claims it can achieve between 70 and 150 amplification factors [ZDNet will not be linking to the script, for obvious reasons], so there is still a danger that a sophisticated threat actor will eventually weaponize this protocol to its full potential. Past WS-Discovery DDoS attacks First attacks abusing the WS-Discovery protocol on a large scale have been first reported in early May by security researcher Tucker Preston. The researcher told ZDNet that he observed over 130 DDoS attacks at the time, with some reaching sizes of over 350 Gbps. These attacks were later confirmed by Netscout in a report published last month [page 28]. WS-Discovery DDoS attacks, May 2019 Attacks subsided in the following months, but they picked up again in August, ZeroBS told ZDNet today. Unlike the first waves of WS-Discovery attacks, these were much smaller and were most likely carried out by threat actors who weren't fully aware of the protocol's capabilities, or they didn't have the technical means to exploit it at its full potential. ZeroBS said these latter attacks only reached a maximum of 40 Gbps, amplification factors of no more than 10, and that only 5,000 devices (mostly IP cameras and printers) had been corralled into the botnets that were launching these attacks. Right now, WS-Discovery DDoS attacks haven't reached a stage where they happen daily, nor are they being used at their full potential, with many attacks still using only a fraction of the total WS-Discovery devices available online, and only achieving small amplification factors. However, the large number of devices that are currently exposing the WS-Discovery port 3702 on the internet will make this protocol a favorite among botnet operators in the coming months. Internet service providers still have time to deploy protective measures at their network boundaries to block traffic from the internet that targets the 3702 port on devices inside their network. Simple solutions like these will help prevent botnets from abusing these devices for future attacks, but, as we've seen in the past, deploying such measures usually takes a few months, and there's always a few ISPs that fail to act and leave devices exposed on the internet that faciliate future DDoS attacks. Source
  7. Huygens if true: Dutch police break up bulletproof hosting outfit and kill Mirai botnet Cops also Cruyff cloggy couple eDam, that's a lot of servers Dutch police said in a translated news release that they have busted a local 'bulletproof' server hosting operation in a major takedown that also nabbed a pair of Mirai botnet operators. The Netherlands' National Criminal Investigation Department and National Cyber Security Center operated jointly to track down and seize five servers that they say were being used as an underground 'bulletproof' hosting service for criminals. The servers, housed at an unnamed data center in Amsterdam, had been the subject of thousands of complaints of malware infections as their operators had used the boxes to run exploits and control infected machines. In this case, the police say, the people controlling those servers were a pair of Dutch nationals who had been running a Mirai botnet with cover from the bulletproof host. The duo, a 24 year-old man from Veendam and a 28 year-old man from Middelburg, had been offering the network of Mirai-infected devices as a for-hire distributed denial of service tool. "The investigation also revealed that this botnet was very aggressively trying to infect other devices, up to over a million attempts per month on one device," the translated police statement reads. "Which DDoS attacks can be attributed to this botnet is part of the further investigation." Police said they plan to charge the pair with crimes including, but not limited to, computer intrusion and spreading malware. The cops hope that, by seizing the servers, they can take down this botnet once and for all. The bust-up of a locally-based bulletproof host (a term used for server providers who don't ask questions of their customers and typically ignore takedown requests) should also prove significant. While shady hosting operations have typically been associated with poorer, strife-ridden areas that have little in the way of government and police oversight, there are a number of advantages to having a bulletproof host located nearby in a major city, including reliability and lower latencies, that would make the Amsterdam datacenter a hot commodity with local cybercriminals. Meanwhile, users and admins who are worried about falling victim to Mirai and other botnet malware should first reset the device to get rid of any locally running code, then make sure they have changed default passwords and double-checked their firewall settings and updated all firmware. Source: Huygens if true: Dutch police break up bulletproof hosting outfit and kill Mirai botnet
  8. Up to 40,000 macOS systems expose a particular port online that can be abused for pretty big DDoS attacks. DDoS-for-hire services, also known as DDoS booters, or DDoS stressors, are abusing macOS systems to launch DDoS attacks, ZDNet has learned. These attacks are leveraging macOS systems where the Apple Remote Desktop feature has been enabled, and the computer is accessible from the internet, without being located inside a local network, or protected by a firewall. More specifically, the attackers are leveraging the Apple Remote Management Service (ARMS) that is a part of the Apple Remote Desktop (ARD) feature. When users enable the Remote Desktop capability on their macOS systems, the ARMS service starts on port 3283 and listens for incoming commands meant for the remote Mac. Huge "amplification factor" But sometime this year, cyber-criminals have realized that they can abuse the ARMS service as part of a so-called "DDoS amplification attack." DDoS amplification attacks are one of the many forms of DDoS attacks. It's when attackers bounce traffic off an intermediary point and relay it towards a victim's server. In this case, that intermediary point is a macOS system with Remote Desktop enabled. Protocols like DNS, NTP, CharGEN, Memcached, NetBIOS, CLDAP, and LDAP are often abused as part of DDoS amplification attacks. CoAP and WS-Discovery are just the latest protocols to have joined this list. Most of these protocols are UDP-based, where UDP is a type of network packet used as the base for the other, more complex protocols. ARMS is also a UDP-based protocol. The danger level for any of the above protocol is what security researchers call the "amplification factor," which describes the ratio between a packet before and after it bounces off towards its target. Most DDoS amplification attacks observed in the wild have an amplification factor of between 5 and 10. The higher the protocol, the more useful it is for attackers. According to security researchers from Netscout, who saw the first ARMS-based DDoS attacks in June, ARMS commands an impressive 35.5 amplification factor. Furthermore, while there've been other protocols with big amplification factors in the past, most of them are oddities and rarely used protocols, making them unusable for attackers. Most of today's DDoS amplification attacks rely on DNS and NTP, which even if they have a small amplification factor, there's plenty of servers to go around that attackers can use to amplify their bad traffic. Up to 40,000 macOS expose ARD/ARMS ports However, ARMS is different, in the sense that this is the worst-case scenario, where we have a big amplification factor protocol that's available on a large number of hosts that attackers can abuse. A search with the BinaryEdge IoT search engine shows nearly 40,000 macOS systems where the Remote Desktop feature is enabled, and the systems reachable via the internet. Some attacks peaked at 70 Gbps It is unclear who discovered that the ARMS service could be abused for DDoS amplification attacks, but attacks have already happened in the real world. Netscout spotted the first one in the second week of June. The company said the attack peaked at 70 Gbps, which is a pretty large attack. Other attacks followed, as observed by the Keyo University Shonan Fujisawa Campus in Japan, and by Italian systems administrator Marco Padovan. But while initial attacks were sparse, they're now starting to pick up, according to a source in the DDoS community. The main reason is that some DDoS booters have added support for launching attacks via this protocol, this source told ZDNet. This means that macOS systems across the globe are now being used as bouncing points for DDoS attacks. These systems should not be reachable via the internet According to an analysis of the BinaryEdge search results, the vast majority of these systems are on university and enterprise networks, where system administrators use the Apple Remote Desktop feature to manage large fleets of macOS systems, at a time. These systems should not be available online, and if they need to be, then access should be restricted using Virtual Private Networks or IP whitelists. The Apple Remote Desktop feature is the direct equivalent of Microsoft's Remote Desktop Protocol (RDP). In the past, hackers have brute-forced RDP endpoints to gain access to corporate networks, from where they stole proprietary information, or have installed ransomware. Similar to how crooks target companies with RDP systems exposed online, they can do the same for Mac systems with ARD. Admins of macOS fleets should probably secure ARD endpoints to prevent these types of attacks first, and DDoS nuisance second. Source
  9. Ukrainian teen arrested last month for taking down a local ISP with DDoS attacks. Ukrainian police have arrested a 16-year-old from the city of Odessa last month for attempting to extort a local ISP (internet service provider) into sharing data on one of its subscribers. Ukrainian authorities say that when the service provider declined, the teen used distributed denial of service (DDoS) attacks to take down the ISP's network. The attacks, which took place last year, were severe enough that the ISP contacted law enforcement. A spokesperson for the Ministry of Internal Affairs told ZDNet officers from Ukraine's cyber police tracked down the teen to the city of Odessa, where they arrested the 16-year-old last month, in January. Ukrainian cyber police say they searched the teen's home and seized his devices. Authorities said that during a preliminary review of the suspect's computer they found software used to perform DDoS attacks, along with details for 20 accounts on various hacker forums. According to Ukraine's criminal code, the suspect faces up to six years in prison for launching the DDoS attacks. He was not charged for the attempted extortion. Ukrainian officials declined to comment further on the case, such as whose data the attacker requested, citing an ongoing investigation. The Ukrainian teen is certainly not the first case where a suspect has taken down an entire ISP's network using a simple DDoS botnet. Similar instances of DDoS attacks taking down ISPs have happened in Liberia, Cambodia, and more recently, South Africa. In most cases, attackers either use botnets capable of launching massive waves of junk traffic (Liberia), or are using a clever technique known as carpet-bombing (South Africa). Source
  10. Powerhouse VPN products can be abused for large-scale DDoS attacks Around 1,500 Powerhouse VPN servers are exposed online and ready to be abused by DDoS groups. Botnet operators are abusing VPN servers from VPN provider Powerhouse Management as a way to bounce and amplify junk traffic part of DDoS attacks. This new DDoS vector has been discovered and documented by a security researcher who goes online as Phenomite, who shared his findings with ZDNet last week. The researcher said the root cause of this new DDoS vector is a yet-to-be-identified service that runs on UDP port 20811 on Powerhouse VPN servers. Phenomite says that attackers can ping this port with a one-byte request, and the service will often respond with packets that are up to 40 times the size of the original packet. Since these packets are UDP-based, they can also be modified to contain an incorrect return IP address. This means that an attacker can send a single-byte UDP packet to a Powerhouse VPN server, which then amplifies it and sends it to the IP address of a victim of a DDoS attack —in what security researchers call a reflected/amplified DDoS attack. ATTACKS ALREADY DETECTED IN THE WILD Both Phenomite and ZDNet have reached out to Powerhouse Management to notify the company about its products' behavior, seeking to ensure that a patch is deployed to its servers that would prevent its VPN infrastructure from being abused in future DDoS attacks. However, the company has not responded to any of our emails. Furthermore, we also learned today that threat actors have also discovered this DDoS attack vector, which they have already weaponized in real-world attacks, some of which have reached as much as 22 Gbps, sources have told ZDNet. AROUND 1,520 POWERHOUSE VPN SERVERS READY TO BE ABUSED According to a scan performed by Phenomite last week, currently, there are around 1,520 Powerhouse servers that expose their 20811 UDP port, meaning they can be abused by DDoS threat groups. While servers are located all over the world, most vulnerable systems appear to be "in the UK, Vienna, and Hong Kong," the researcher told ZDNet. Until Powerhouse fixes this leak, the researcher has recommended that companies block any traffic that comes from the VPN provider's networks (AS21926 and AS22363) or block any traffic where "srcport" is 20811. The second solution is recommended, as it doesn't block legitimate VPN traffic from all Powerhouse VPN users but only "reflected" packets that are most likely part of a DDoS attack. Phenomite's discovery comes to add to a long list of new DDoS amplification vectors that have been disclosed over the past three months. Previous disclosures included the likes of: Citrix ADC gateways Windows RDP servers Plex media servers Source: Powerhouse VPN products can be abused for large-scale DDoS attacks
  11. Plex Media servers actively abused to amplify DDoS attacks Plex Media Server systems are actively being abused by DDoS-for-hire services as a UDP reflection/amplification vector in Distributed Denial of Service (DDoS) attacks. Plex Media Server provides users with a streaming system compatible with the Windows, macOS, Linux, and FreeBSD platforms, as well as network-attached storage (NAS) devices, Docker containers, and more. Netscout says that amplified PMSSDP DDoS attacks observed since November 2020 have been abusing UDP/32414 SSDP HTTP/U responses from exposed broadband Internet access routers and redirected towards attackers' targets. This junk traffic reflected onto victims' servers is sourced from Simple Service Discovery Protocol (SSDP) probes sent by Plex through the G’Day Mate (GDM) protocol for local network service discovery. In January, Baidu Security Lab also reported observing DDoS attacks using Plex as an amplification vector. According to a subsequent report from ZoomEye, not all Plex Media Server versions can be abused by attackers. "After testing by Baidu Lab researchers, it was found that the version of Plex used to attack was less than version 1.21, so it can be inferred that version 1.21 of Plex released in late January this year has fixed this problem (although no relevant information has been seen in the plex official Security bulletin)," ZoomEye said. Abused in single and multi-vector DDoS attacks Attacks abusing this UDP reflection/amplification attack vector by targeting PMSSDP reflectors/amplifiers on the UDP/32414 port have an amplification ratio of ~4.68:1 and peak at ~3 Gbps. However, as Netscout said, "multi-vector (2–10 vectors) and omni-vector (11 or more vectors) attacks incorporating PMSSDP range from the low tens of Gbps up to 218 Gbps." Attackers can exploit roughly 27,000 exposed devices running Plex Media Server to amplify and reflect DDoS traffic onto their targets systems. "It should be noted that a single-vector PMSSDP reflection/amplification attack of ~2 Gbps – ~3 Gbps in size is often sufficient to have a significant negative impact on the availability of targeted networks/servers/services," Netscout added. "The incidence of both single-vector and multi-/omni-vector reflection/amplification attacks leveraging PMSSDP has increased significantly since November of 2020, indicating its perceived utility to attackers." As it regularly happens with newer DDoS attack vectors, PMSSDP has also been weaponized and is now actively used by booter/stresser DDoS-for-hire services. These platforms are regularly used by pranksters or threat actors without the skills or time to invest in establishing their own DDoS attack infrastructure. Booters' services are rented to launch large-scale DDoS attacks targeting servers or sites to trigger a denial of service that usually brings them down or disrupts online services. PMSSDP DDoS mitigation Broadband Internet access operators with PMSSDP reflectors/amplifiers exposed on their networks by customers can experience "partial or full interruption of end-customer broadband Internet access, as well as additional service disruption due to access, distribution, aggregation, core, peering, or transit link capacity consumption." While filtering all traffic on UDP/32414 can mitigate such attacks, this could also cause legitimate traffic and connections to get blocked. To mitigate the impact of such attacks, organizations can quarantine end-customer nodes exposed to attacks and/or filter UDP/32414 traffic on abusable nodes. "Network operators should perform reconnaissance to identify abusable PMSSDP reflectors/amplifiers on their networks and/or the networks of their customers," Netscout added. "It is strongly recommended that SSDP be disabled by default on operator-supplied broadband Internet access CPE, and that guidance on disabling SSDP on common CPE makes/models be supplied to end-customers." DHS-CISA provides guidance on how to avoid becoming a DDoS victim, how to detect DDoS attacks, as well as on what measures to take while being DDoSed. Earlier this month, Netscout reported that Windows Remote Desktop Protocol (RDP) servers are now also being abused by DDoS-for-hire services as a reflection/amplification DDoS vector. In 2019, Netscout also detected DDoS attacks abusing the macOS Apple Remote Management Service (ARMS) as an amplification vector. ARMS-abusing DDoS attacks observed at the time peaked at 70 Gbps, with an amplification ratio of 35.5:1. Source: Plex Media servers actively abused to amplify DDoS attacks
×
×
  • Create New...