DDoS attack

Linode Hit by DDoS Attacks

Posted on

Cloud hosting company Linode has suffered a series of service interruptions due to distributed denial-of-service (DDoS) attacks launched against its infrastructure over the past few days.

The campaign started on December 26 when the company reported that DDoS attacks had disrupted the Linode Manager and its website. On the same day, the attackers also targeted Linode’s DNS infrastructure, and the company’s data centers in Dallas, Atlanta, London and Newark.

It took roughly 2-3 hours for Linode’s systems and network engineering teams and the company’s upstream providers to mitigate the attacks.

On December 27, DDoS attacks were reported at the data centers in Atlanta, Newark, and London. Linode’s service status page shows that it took the company nearly four hours to mitigate the attack against the London datacenter, while network connectivity was restored in one hour, respectively two hours, in Atlanta and Newark.

The attacks against various components of Linode’s infrastructure continued on Monday and Tuesday.

In the early hours of Wednesday, shortly after announcing that a DDoS attack affecting Linode’s website had been mitigated, the company reported seeing continued attacks disrupting access to its web services.

The latest update indicates that the Dallas data center was again targeted recently, causing packet loss.

Kaspersky Lab reported in November that in the third quarter of 2015, Linux-based botnets accounted for nearly half of the total number of DDoS attacks. The most notable was the XOR botnet, which malicious actors leveraged to launch attacks that peaked at more than 150 Gbps.

A Kaspersky report released in December showed that almost half of the organizations hit by DDoS attacks actually claimed to know the identity of the attackers. The study is based on information from more than 5,500 companies across 26 countries.



JavaScript DDoS Attack Peaks at 275,000 Requests-Per-Second

Posted on

Two years ago at the Black Hat conference, WhiteHat Security researchers Jeremiah Grossman and Matt Johansen explained how hackers could in theory leverage an online ad network to distribute malicious JavaScript efficiently and quickly.

Depending on how much money the attacker wanted to spend, they could do just about anything from drive-by download attacks, to search engine poisoning to DDoS attacks.

“For a DDoS attack, for mere dollars we could bring down one Apache server very quickly for probably under $10 and hold it down for a long time,” Grossman told Threatpost in 2013. “I don’t know if it has good DDoS protection how much it would cost us, but it probably wouldn’t cost $100. This means that anyone without DDoS protection is susceptible to a $10 attack that could bring them down.”

Using JavaScript to bring down a target has slowly moved out of the theoretical, given the Great Cannon research done earlier this year by Citizen Lab and a JavaScript-based DDoS attack against 8chan that originated in malicious image files hosted on Imgur. CloudFlare on Friday described a voluminous attack against an unnamed customer that it speculates could have been launched using a mobile ad network.

JavaScript DDoS Attack Peaks at 275,000 Requests-Per-Second

Researcher Marek Majkowski said the flood attacks peaked at 275,000 HTTP requests per second close to 1.2 billion requests per hour during a four-hour span. Most of the requests came from mobile browsers based in China.

“There is no way to know for sure why so many mobile devices visited the attack page, but the most plausible distribution vector seems to be an ad network,” Majkowski wrote. “It seems probable that users were served advertisements containing the malicious JavaScript. [These] ads were likely showed in iframes in mobile apps, or mobile browsers to people casually browsing the internet.”

Majkowski said this was not a packet-injection type of attack. Instead it’s likely, users’ mobile browsers were served iframes with ads requested from a mobile ad network. The networks forwarded the requests to the malicious third parties which won the real-time bidding for the slot. The user was served a page containing malicious JavaScript that sent a flood of XHR requests against the targeted website, CloudFlare said.

“It seems the biggest difficulty is not in creating the JavaScript — it is in effectively distributing it. Since an efficient distribution vector is crucial in issuing large floods, up until now I haven’t seen many sizable browser-based floods,” Majkowski said. “Attacks like this form a new trend. They present a great danger in the internet — defending against this type of flood is not easy for small website operators.”


DD4BC Group Targets Companies with Ransom-Driven DDoS Attacks

Posted on

According to the 2015 Information Security Breaches Survey, a PwC study that I recently analyzed in an article for The State of Security, the number of denial of service (DoS) attacks has either dropped or remained stagnant for most UK corporations over the past year.

Apparently, this decline has not stopped certain malicious actors from getting creative with their distributed denial of service (DDoS) attacks, however.

Among those groups that have embraced DDoS attack campaigns this past year is Lizard Squad, a hacking group that set up a DDoS stresser serviceearlier in 2015 after successfully overloading the networks of both Playstation Network and Xbox Live on December 25th, 2014. These attacks may have ultimately contributed to Akamai’s finding that the world saw a 90 percent increase in DDoS attacks in 2014’s final quarter as compared to Q3. DDoS attacks are also not exclusive to amateur hacking groups.

Earlier this spring, China targeted GitHub with a large DDoS attack, which caused service interruptions for some users.

DD4BC Group Targets Companies with Ransom-Driven DDoS Attacks
DD4BC Group Targets Companies with Ransom-Driven DDoS Attacks

Now in the middle of 2015, yet another group has put its own spin on this tried and true method of network disruption. As analyzed by Heimdal Security Software, a group of computer criminals known as ‘DD4BC’ is threatening targets with massive DDoS attacks unless they pay a ransom using Bitcoins. These attacks generally bring down vital business services and cause disruption and financial loss.

Each campaign launched by DD4BC begins with an email that informs the victim of a low-level DDoS attack currently underway against the victim’s website. The email, as revealed by Akamai in a profile of the group, then goes on to demand a ransom paid in Bitcoins in return for DD4BC abstaining from launching a larger DDoS attack against the target.

According to research published by the Swiss Government Computer Emergency Response Team, DD4BC is theoretically capable of launching attacks consuming a bandwidth of up to 500 Gbit/s, which is about 1,000 times the capacity of a DSL/cable line, by taking advantage of amplification attacks that abuse the NTP, SSDP or DNS protocol. In reality, Incapsula, a cloud-based application delivery platform, has noted in a blog post that the group generally launches small application-layer attacks that peak at 150 requests per second.

This does not stop security personnel and law enforcement officials from taking DD4BC seriously, however.

“We are working closely with law enforcement in various jurisdictions to make sure they have a clear picture of what we see and face,” Troels Oerting, group chief information security officer at Barclays and former head of Europol’s European Cybercrime Centre (EC3), told to Computer Weekly. “We take the necessary steps to prevent, detect, react and mitigate all kinds of cyber crime we face, and that is simply the way we work. We take our customers and employees’ privacy and security very.”

The exploits of DD4BC go back at least a year. In November of 2014,reports emerged of the group having sent a note to the Bitalo Bitcoin exchange demanding 1 Bitcoin in return for helping the site enhance its protection against DDoS attacks. At the same time, DD4BC executed a small-scale attack to demonstrate the exchange’s vulnerability to this method of disruption. Bitalo ultimately refused to pay the ransom, however. Instead, the site publically accused the group of blackmail and extortion as well as created a bounty of more than USD $25,000 for information regarding the identities of those behind DD4BC.

Since then, the group has begun demanding Bitcion ransom payments in exchange for refraining from launching large-scale DDoS campaigns. In March of this year, for example, DD4BC targeted Bitmain, one of the largest Bitcoin mining equipment manufacturing companies in the world, and demanded a ransom payment of 10 BTC to prevent an attack. Like Bitalo, Bitmain refused to pay the ransom. In fact, it ultimately added 10 Bitcoins to Bitalo’s existing bounty.

DD4BC is still active as of this writing and is demanding as many as 25 Bitcoins from affected parties in exchange for assurance against a large DDoS attack.

To protect against the attacks launched by DD4BC and other groups, it is recommended that companies invest in anti-DDoS technology and create an emergency computer response team (as well as an organization-wide security policy) that outlines a plan of action if an attack ever arises.