MegaUpload Arrests Spark Anonymous Fury is reporting that the shutdown of Megaupload, accused of breaking copyright laws, has spawned retaliatory attacks by the hacktivist group Anonymous.  Gizmodo is continuing to update their article regularly, and I highly staying on top of it.  Among sites reported as being down are the Universal Music Group and BMI, the US Copyright Office, the Motion Picture Association of America, and several law enforcement and government agencies.  Recent claims by Anonymous indicate that this is their biggest DoS campaign, ever.

The government takes down Megaupload? 15 minutes later Anonymous takes down government & record label sites,” a member of Anonymous said via Twitter. Continue reading

NYSE Appears Unaffected By DDoS

A video posted on YouTube purportedly by hackers in the notorious hacking group Anonymous threatened a Monday shutdown of the New York Stock Exchange through DDoS (distributed denial-of-service) attack on their website.  The video begins dramatically with an eerie drumbeat, followed by some wierd chanting.  The website of the New York Stock Exchange slowed down significantly a couple of times on Monday afternoon, according to an Internet and mobile cloud monitoring company.

“Citizens of the world,” announces a creepy, prerecorded voice. “We are  Anonymous for too long. The crimes of Wall Street bankers, CEOs, and a corrupt  political system have created economic injustice that has gone  unchallenged.”

The video continues with references to the ongoing Occupy Wall Street protests.  (“We are the 99%,” etc.)  This new effort is called “Invade Wall Street,” and if we can believe a newly placed  message running alongside the video, “It is a fake planted operation by law  enforcement and cyber-crime agencies in order to get you to undermine the Occupy  Wall Street movement.”

I think they may have bitten off more than they can chew with this attack, and if DDoS’ing the NYSE website has any affect on markets, I would be very surprised.

WordPress Under Attack

If you were trying to get here, or to just about any other blog on the WordPress site, you probably noticed that things were loading just a little slower than usual. That is because the domain has been under a distributed denial of service attack since early Thursday. Using the same method as the hackers who brought down the main websites of Visa, Mastercard and PayPal last year to support the whistle-blowing website WikiLeaks, Thursday’s attacks have caused most of WordPress-powered blogs to become nearly inaccessible.

The attack is extremely large, multiple Gigabits per second and tens of millions of packets of data per second. WordPress folks are working to mitigate the attack, but because of the size, it is proving rather difficult. A typical DDoS attack works by bombarding a certain domain or web address with an overwhelming number of requests for access. Websites are only designed to handle a certain number of requests and can shut down if that number is greatly exceeded.

The motivation for the attack on WordPress is currently unknown.  The attacks appear to have somewhat subsided, though HTTPS access remains hindered.

UPDATE:  Cnet has some pretty good analysis of this event.


DDoS On Dutch Bank

ComputerWorld has posted an article recently on a subject that I haven’t heard a lot about for the last year.  It seems a Dutch bank was the victim of a malicious Distributed Denial of Service (DDoS) attack.  I say malicious, as there have been instances where a bank was accidentally hit with a traffic flood due to misconfiguration of a common tool, and even some spotty attacks that were quickly detected and avoided.  But nothing that I can recall recently where a brazen attack was aimed squarely at a bank, and took them off the map for a couple of days.  Apparently, the Dutch Government has been detecting similar attacks on their networks.

In my work with the Canadian Financial Institution Computer Incident Response Team (CFI-CIRT), I examined and reported on DDoS avoidance and response practices on behalf of the Canadian banking community.  Not a lot had changed from the last time that I had looked at DDoS protection mechanisms several years prior.  The solutions were just as expensive, just as finicky, and just as hard to justify to management without a direct attack to show losses against.  Your choices seemed to be (pick any 3):

  • Over provision your bandwidth.
  • Keep a second provider as a disaster recovery / incident response alternate.
  • Add an appliance or three to your architecture to examine and scrub the data stream.
  • Subscribe to a third-party service that filters the data stream.
  • Subscribe to a third-party service that provides redundant routes to the nth degree.
  • Convince your ISP to provide filtering services on demand as part of your incident response plan.
  • Build an internal response plan that engages the right folks to escalate the response externally.

Has anyone looked into DDoS solutions lately?  Have there been any improvements in the choices and offerings available to large and small businesses?

Threat Landscape Shifts

I have watched the vulnerability exploitation window move down over the years, from 1 year in the ’90s, to 3 months in 2000, and more recently to just under 30 days.  This is the amount of time that it takes for an attacker to develop working, weaponized exploit code for execution in the wild.  This development window is for privately reported vulnerabilities, and does not consider the zero-day threat where a “researcher” discovers a vulnerability and publicly discloses the details, or simply starts exploiting it.

Fortinet, a network security and unified threat management (UTM) solutions provider reveals a 61% exploitation rate of new vulnerabilities discovered in January in its January 2011 Threat Landscape report.  Fortinet says that during a typical month, exploit activity falls between 30% and 40%.  Half of new critical rated vulnerabilities were targeted, offering arbitrary code execution by an attacker on a target machine. 

In order to pull this accelleration off, they have been reverse engineering patches released by the vendors, identifying the differences between the patched and unpatched files, and then targeting their research on the changes being made to develop their exploit code.  SecurityWeek

InformationWeek is reporting that Distributed denial of service (DDoS) attacks, the bane of all online services, have broken the 100 Gbps barrier, increasing in bandwidth by 102% over the past year, and by 1000% since 2005.   This finding comes from an infrastructure security report, released on Tuesday by Arbor Networks.  The company surveyed 111 IP network operators from around the world, and found the volume and severity of attacks continues to increase.

The attacks appear to be driven by the spread of botnet malware agents that allow an attacker to use compromised computers to launch coordinated and focused attacks.  This has led to rapidly escalating DDoS attack size, frequency, and sophistication.  “Adding to the challenges facing operators is the increasing number of attack vectors, including applications and services, not to mention the proliferation of mobile devices” according to Roland Dobbins, a solutions architect at Arbor Networks.

Dealing with DDoS has been a major challenge for businesses of all size.  Solutions have been targeted at ISPs and very, very large enterprises, but have had very low adoption rates becaused of cost limitations.  ISPs can’t generally justify the expense without some sort of return on investment, and protection against a threat that may or may not materialize is a very tough sell as a value added proposition and justify in the boardroom.

Botnet Targets Food Processing Firms

According to The Register, a new family of malware is attacking the websites of firms involved in the industrial food processing industry.  Variants of the Darkshell botnet circulating in China, turn infected Windows machines into attack platforms. Infected machines regularly connect to command and control nodes, periodically receiving instructions on sites to inundate with junk traffic in Distributed Denial of Service attacks.

Arbor Networks has been tracking the activities of the cybercrime networks for the last three months, and reports that Darkshell botnets have launched DDoS attacks against 97 unique victims, mostly in China and the US.  Victims have included online merchants of baby products and jewellery as well as video game related sites.  A big percentage of targets have been the websites of small manufacturers of industrial food processing equipment and machinery.

WikiLeaks Site Attacked Again

Wikileaks has been hit by a second distributed denial of service attack.  The renewed DDoS attack followed attempts to knock the site off the web on Sunday night as it prepared to release the controversial hundreds of thousands of US diplomatic cables.

According to The Register, the site confirmed the latest attack on its Twitter feed Tuesday afternoon.  Analysis of the first attack by experts Arbor Networks shows that the attack threw a relatively modest 2-4Gbps at the site for several hours.  Modest by the standards of other similar attacks this year, it was severe enough for Wikileaks to move its systems back into Amazon’s cloud infrastructure to seek shelter from the onslaught.