Blog

  • Major banks hit with biggest cyberattacks in history

    posted by Keito
    2012-09-29 16:57:00
    'There's a good chance your bank's website was attacked over the past week.

    Since Sept. 19, the websites of Bank of America (BAC, Fortune 500), JPMorgan Chase (JPM, Fortune 500), Wells Fargo (WFC, Fortune 500), U.S. Bank (USB, Fortune 500) and PNC Bank have all suffered day-long slowdowns and been sporadically unreachable for many customers. The attackers, who took aim at Bank of America first, went after their targets in sequence. Thursday's victim, PNC's website, was inaccessible at the time this article was published.

    Security experts say the outages stem from one of the biggest cyberattacks they've ever seen. These "denial of service" attacks -- huge amounts of traffic directed at a website to make it crash -- were the largest ever recorded by a wide margin, according to two researchers.

    Banks get hit by cyberattackers all the time and typically have some of the best defenses against them. This time, they were outgunned.

    "The volume of traffic sent to these sites is frankly unprecedented," said Dmitri Alperovitch, co-founder of CrowdStrike, a security firm that has been investigating the attacks. "It's 10 to 20 times the volume that we normally see, and twice the previous record for a denial of service attack."

    To carry out the cyberattacks, the attackers got hold of thousands of high-powered application servers and pointed them all at the targeted banks. That overwhelmed Bank of America and Chase's Web servers on Sept. 19, Wells Fargo and U.S. Bank on Wednesday and PNC on Thursday. Fred Solomon, a spokesman for PNC, confirmed that a high volume of traffic on Thursday was affecting users' ability to access the website, but he declined to go into more detail.

    Denial of service attacks are an effective but unsophisticated tool that doesn't involve any actual hacking. No data was stolen from the banks, and their transactional systems -- like their ATM networks -- remained unaffected. The aim of the attacks was simply to temporarily knock down the banks' public-facing websites.

    To get hold of all the servers necessary to launch such huge attacks, the organizers needed to plan for months, Alperovitch said. The servers had to be compromised and linked together into a network called a "botnet."

    That level of pre-planning is a deviation from the kinds of denial of service attacks launched at banks in the past by so-called "hacktivists." Typically, hacktivists use home PCs infected with malware to amass their botnets. Attacks on this scale would be impossible to carry out with home PCs -- users too frequently turn them off or disconnect them from the Internet.

    The Islamist group Izz ad-Din al-Qassam Cyber Fighters publicly claimed responsibility for the attacks in what it called "Operation Ababil", but researchers are divided about how seriously to take their claims. The group has launched attacks in the past, but those have been far less coordinated than the recent batch.

    Sen. Joe Lieberman, an Independent from Connecticut, said in a C-SPAN interview on Wednesday that he believed the attacks were launched by Iran.

    "I don't believe these were just hackers who were skilled enough to cause disruption of the websites," he said. "I think this was done by Iran ... and I believe it was a response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions."

    A call requesting comment from the Department of Homeland Security's cybersecurity office was not immediately returned.

    A cybersecurity firm following the attacks also expressed doubt about the connections between the Cyber Fighters and the bank attacks. On social networks and chat forums, the group urged its followers to use a mobile "low orbit ion cannon" -- a software tool typically used by Anonymous and other hacktivist groups to direct a massive flood of traffic at a targeted site.

    That tool was not used in the attack, according to Ronen Kenig, director of security products at network security firm Radware.

    "Supporters of this group didn't join in the attack at all, or they joined in but didn't use that tool," said Kenig. "The attack used a botnet instead." He doesn't think the Cyber Fighters would have access to a botnet as advanced as the one used by the attackers.

    But CrowdStrike's Alperovitch said he is "quite confident" the perpetrator was the Izz ad-Din al-Qassam Cyber Fighters, since they announced each attack well before it was carried out, and the attack wasn't that sophisticated -- it just took significant planning. PNC was the last target on the lists the Cyber Fighters have circulated, but more attacks could still be coming.

    Both researchers agree that the controversial anti-Muslim YouTube video was not the initial impetus for the attacks, as the Cyber Fighters claimed in messages recruiting volunteers to join in. Before the video was even released, the group claimed responsibility for similar attacks.

    "The video is simply an excuse," Alperovitch said. "It's a red herring."'


    http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/
  • How to Launch a 65Gbps DDoS, and How to Stop One

    posted by Keito
    2012-09-18 18:52:43
    'Yesterday I posted a post mortem on an outage we had Saturday. The outage was caused when we applied an overly aggressive rate limit to traffic on our network while battling a determined DDoS attacker. In the process of writing it I mentioned that we'd seen a 65Gbps DDoS earlier on Saturday. I've received several questions since that all go something like: "65Gbps DDoS!? Who launches such an attack and how do you defend yourself against it?!" So I thought I'd give a bit more detail.

    ### What Constitutes a Big DDoS?

    A 65Gbps DDoS is a big attack, easily in the top 5% of the biggest attacks we see. The graph below shows the volume of the attack hitting our EU data centers (the green line represents inbound traffic). When an attack is 65Gbps that means every second 65 Gigabits of data is sent to our network. That's the equivalent data volume of watching 3,400 HD TV channels all at the same time. It's a ton of data. Most network connections are measured in 100Mbps, 1Gbps or 10Gbps so attacks like this would quickly saturate even a large Internet connection.

    At CloudFlare, an attack needs to get over about 5Gbps to set off alarms with our ops team. Even then, our automated network defenses usually stop attacks without the need of any manual intervention. When an attack gets up in the tens of Gigabits of data per second, our ops team starts monitoring the attack: applying filters and shifting traffic to ensure the attacked customer's site stays online and none of the rest of our network is affected.

    ### So You Want to Launch a DDoS

    So how does an attacker generate 65Gbps of traffic? It is highly unlikely that the attacker has a single machine with a big enough Internet connection to generate that much traffic on its own. One way to generate that much traffic is through a botnet. A botnet is a collection of PCs that have been compromised with a virus and can be controlled by what is known as a botnet herder.

    Botnet herders will often rent out access to their botnets, often billing in 15 minute increments (just like lawyers). Rental prices depend on the size of the botnets. Traditionally, email spammers purchased time on botnets in order to send their messages to appear to come from a large number of sources. As email spam has become less profitable with the rise of better spam filters, botnet herders have increasingly turned to renting out their networks of compromised machines to attackers wanting to launch a DDoS attack.

    To launch a 65Gbps attack, you'd need a botnet with at least 65,000 compromised machines each capable of sending 1Mbps of upstream data. Given that many of these compromised computers are in the developing world where connections are slower, and many of the machines that make up part of a botnet may not be online at any given time, the actual size of the botnet necessary to launch that attack would likely need to be at least 10x that size. While by no means unheard of, that's a large botnet and using all its resources to launch a DDoS risks ISPs detecting many of the compromised machines and taking them offline.

    ### Amplifying the Attacks

    Since renting a large botnet can be expensive and unwieldy, attackers typically look for additional ways to amplify the size of their attacks. The attack on Saturday used one such amplification technique called DNS reflection. To understand how these work, you need to understand a bit about how DNS works.

    When you first sign up for an Internet connection, your ISP will provide you with a recursive DNS server, also known as a DNS resolver. When you click on a link, your computer sends a lookup to your ISP's DNS resolver. The lookup is asking a question, like: what is the IP address of the server for cloudflare.com? If the DNS resolver you query knows the answer, because someone has already asked it recently and the answer is cached, it responds. If it doesn't, it passes the request on to the authoritative DNS for the domain.

    Typically, an ISP's DNS resolvers are setup to only answer requests from the ISP's clients. Unfortunately, there are a large number of misconfigured DNS resolvers that will accept queries from anyone on the Internet. These are known as "open resolvers" and they are a sort of latent landmine on the Internet just waiting to explode when misused.

    DNS queries are typically sent via the UDP protocol. UDP is a fire-and-forget protocol, meaning that there is no handshake to establish that where a packet says it is coming from actually is where it is coming from. This means, if you're an attacker, you can forge the header of a UDP packet to say it is coming from a particular IP you want to attack and send that forged packet to an open DNS resolver. The DNS resolver will reply back with a response to the forged IP address with an answer to whatever question was asked.

    To amplify an attack, the attacker asks a question that will result in a very large response. For example, the attacker may request all the DNS records for a particular zone. Or they may request the DNSSEC records which, typically, are extremely large. Since resolvers typically have relatively high bandwidth connections to the Internet, they have no problem pumping out tons of bytes. In other words, the attacker can send a relatively small UDP request and use open resolvers to fire back at an intended target with a crippling amount of traffic.

    ### Mitigating DNS Reflection Attacks

    One of the great ironies when we deal with these attacks is we'll often get an email from the owner of the network where an open resolver is running asking us to shut down the attack our network is launching against them. They're seeing a large number of UDP packets with one of our IPs as the source coming in to their network and assume we're the ones launching it. In fact, it is actually their network which is being used to launch a network against us. What's great is that we can safely respond and ask them to block all DNS requests originating from our network since our IPs should never originate a DNS request to a resolver. Not only does that solve their problem, but it means there's a smaller pool of open resolvers that can be used to target sites on CloudFlare's network.

    There have been a number of efforts to clean up open resolvers that are currently active. Unfortunately, it is slow going and the default installation of many DNS clients still has them open by default. While we actively reach out to the worst offenders to protect our network, to protect the Internet generally there will need to be a concerted effort to clean up open DNS resolvers.

    In terms of stopping these attacks, CloudFlare uses a number of techniques. It starts with our network architecture. We use Anycast which means the response from a resolver, while targeting one particular IP address, will hit whatever data center is closest. This inherently dilutes the impact of an attack, distributing its effects across all 23 of our data centers. Given the hundreds of gigs of capacity we have across our network, even a big attack rarely saturates a connection.

    At each of our facilities we take additional steps to protect ourselves. We know, for example, that we haven't sent any DNS inquiries out from our network. We can therefore safely filter the responses from DNS resolvers: dropping the response packets from the open resolvers at our routers or, in some cases, even upstream at one of our bandwidth providers. The result is that these types of attacks are relatively easily mitigated.

    What was fun to watch was that while the customer under attack was being targeted by 65Gbps of traffic, not a single packet from that attack made it to their network or affected their operations. In fact, CloudFlare stopped the entire attack without the customer even knowing there was a problem. From the network graph you can see after about 30 minutes the attacker gave up. We think that's pretty cool and, as we continue to expand our network, we'll get even more resilient to attacks like this one.

    http://blog.cloudflare.com/65gbps-ddos-no-problem
  • U.S Department of State and several Swedish government websites targeted in DDoS attack

    posted by Keito
    2012-09-04 21:10:26
    'The U.S Department of State and a number of Swedish government websites were among those forced offline in an apparent mass DDoS (Distributed Denial of Service) attack.

    The websites for the Swedish Armed Forces, Courts Administration, and the Swedish Institute (an initiative to promote the country around the world) were among those affected.

    The person behind the Twitter account @TheWikiBoatBR (who does not appear to have an explicit association with Anonymous) posted a string of tweets suggesting responsibility for several attacks. Among those targeted were the Department of State, U.S. Department of Education, Sony, and Harvard University. The State Department site was still offline at the time of publication.

    A DDoS attack is one in which a website’s servers are overloaded by a vast number of systems trying to access them, which often forces the site offline.

    Swedish Armed Forces Communications and Public Affairs representative Therese Fagerstedt told The Local that it was not clear who was responsible, but it appears the DDoS may have been carried out to protest the charges laid against WikiLeaks founder Julian Assange.

    Prosecutors in Sweden want to charge Assange over alleged sex crimes. He has taken refuge at Ecuador’s London embassy since June, and has been granted asylum by Ecuador.

    The #OpFreeAssange hashtag, the same one used by Anonymous to discuss actions against the websites of Interpol and U.K. government websites in recent weeks, was used to talk about the Sweden attacks on Twitter.'

    http://www.dailydot.com/news/state-department-sweden-government-ddos/
  • ‘Operation Free Assange’: Anonymous take down UK’s Justice Ministry’s website

    posted by Keito
    2012-08-21 12:16:09
    'The website for the UK Ministry of Justice is under attack after hacktivists engaged a mission to try and take down justice.gov.uk in retaliation for Britain’s handling of WikiLeaks founder Julian Assange.

    Several Twitter accounts associated with the loose-knit Anonymous collective have acknowledged that the UK Ministry of Justice’s website is being targeted with a distributed denial-of-service, or DDoS, attack. The assault on the website is being carried out under a campaign branded #OpFreeAssange.

    “#OpFreeAssange: TANGO DOWN! http://www.justice.gov.uk/ [500 Internal Server Error] [#Anonymous #WikiLeaks],” reads one tweet sent from the @Anon_Central Twitter account.

    The hackers also claim to have taken down the website of another British government department, the Department of Work and Pensions. “Gov. of UK Expect Us!” read a tweet by Anonymous.

    Assange, the founder and editor of whistleblower website WikiLeaks, has been ordered by Swedish authorities to be extradited from the UK where he had been under house arrest. Two women from Sweden have accused Assange of sex crimes, although he has yet to be charged.

    In fear of being sent to Sweden and then extradited to the US to be tried for his role with WikiLeaks, Assange applied for political asylum in Ecuador, which the Latin American country finally granted him last week after two months of waiting. Regardless, British authorities have refused to give Assange safe passage out of the Ecuadorian Embassy in London so that he may travel overseas.

    Before Ecuador President Rafael Correa approved the asylum bid, British authorities threatened to storm the embassy last week, prompting supporters of Assange and WikiLeaks to surround the building overnight in hopes of deterring any attempt by the UK to follow through with the extradition.

    “If the UK did not throw away the Vienna conventions the other night, it is because the world was watching. And the world was watching because you were watching,” Assange told his supporters during his Sunday afternoon speech from London.

    “So, the next time somebody tells you that it is pointless to defend those rights that we hold dear, remind them of your vigil in the dark before the Embassy of Ecuador.”

    In addition to lambasting the British for coming close to violating international law, Assange asked for US President Barack Obama to “do the right thing” and end his war on whistleblowing, saluting accused WikiLeaks contributor Private First Class Bradley Manning as a hero whose release from prison must be made immediately.'

    http://www.trueactivist.com/operation-free-assange-anonymous-take-down-uks-justice-ministrys-website/
  • Anonymous launches #OpTrapWire

    posted by Keito
    2012-08-14 11:10:30
    Word on the internet is that Trapwire developer, Abraxas Corp (www.abraxascorp.com), is under DDoS attack and Trapwire.net is "undergoing maintenance".

    WHOIS details:

    Administrative Contact, Technical Contact:
    Abraxas Applications vw7d857r72c@networksolutionsprivateregistration.com
    ATTN TRAPWIRE.NET
    care of Network Solutions
    PO Box 459
    Drums, PA 18222
    US
    570-708-8780