DDoS DDoS Attacks
Someone is attacking government websites, and a new anonymous hacking group is taking credit
March 25, 2015

State governments, beware: .gov websites are being targeted by a seemingly new hacker group.

Last Monday the central internet portal controlling all of Maine’s government websites went down for about three hours, due to a series of distributed denial of service (DDoS) attacks. On Tuesday Maine.gov went down again, this time only for two hours.

A hacking group called Vikingdom2015 took credit for the attack on Twitter. Using the hashtag “#OpAmericanGov” the Twitter account claimed that both Maine.gov and VisitNH.gov were offline.

When asked why it targeted Maine’s website, Vikingdom2015 replied, “cause they are dumb,” reports the Portland Press Hearld.

All we know about Vikingdom2015 is from its Twitter presence. This group, or perhaps just a lone individual, writes tweets about hacked websites and has it out for US government websites. According to the Twitter bio, Vikingdom2015 hails from Russia and proclaims itself to be “Hackers Government.” On Wednesday, however, the account did tweet “LOL WE AREN’T FROM RUSSIA.”

The group has a formal list of potential victims. Two days ago Vikingdom2015 released a document on Pastebin enumerating its “Target List.” On it are 44 .gov websites — each domains for specific states — including mass.govnyc.gov, and texas.gov.

Vikingdom2015 also links to a SoundCloud page, which contains one ominous track about its plans. With techno-keyboard tracks in the background a computerized voice says, “Hello. We are Vikingdom2015, a hacking crew, and we uploaded this track so we can warn American citizens. We will knock all American governments’ websites offline. We do not care if we get caught. We all like doing this. So you better be prepared for the battle.”

The group has been actively tweeting for the last two weeks. It took credit for numerous site outages, including OKC.gov, which went down two days in a row beginning March 18.

But, many of its hacking claims remain unverified. One of the group’s notable claims was that it took down the video game streaming site Twitch on March 18. On Monday, Twitch notified its users that its servers had been compromised and instructed people to change their passwords. It’s highly unlikely, however, that Vikingdom2015 had anything to do with the Twitch breach.

Beyond that, Vikingdom2015 hasn’t revealed any more details about itself, or which sites will be targeted next. The account will probably continue childishly taunting Twitter users and claiming credit for DDoS attacks. In the last hour it got into a Twitter spat with the Bangor, Maine Fox affiliate WFVX. As of this posting, WFVX’s website has been offline.

DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist
The average DDoS attack tripled in volume
March 24, 2015

The average packet volume for DDoS attacks increased 340 percent to 4.36 million packets per second (Mpps), and the average bit volume swelled 245 percent to 12.1 Gbps in the final quarter of 2014, according to Black Lotus.

The increases in average attack packet and bit volume signal a change of attack methods deployed by perpetrators. Cybercriminals favored more complex attacks, using multiple vectors and blending application layer, SYN and UDP flood attacks together.

The largest bit volume DDoS attack observed during the report period was 41.1 Gbps on Oct. 1, a swell in volume since the beginning of 2014, due to attackers’ usage of blended, complex attacks to achieve outages. Organizations should take care to scrutinize other parts of their systems to guard against credential leaks or other data breaches, as cyberattackers will often use DDoS as a distraction for other nefarious activity.

Forty-nine percent of the 143,410 attacks observed during Q4 2014 were regarded as severe, and more than half of all attacks mitigated resulted from UDP flood attacks, which cause poor host performance or extreme network congestion via producing high amounts of packets and IP spoofing.

The average attack during the period reported was 12.1 Gbps, a jump in bit volume, and 4.36 Mpps, tripling average packet volume since last quarter. This indicated a continued reliance on leveraging multi-vector attacks, signaling the need for security practitioners to tap intelligent DDoS mitigation rather than padding networks with extra bandwidth.

“We found DDoS attacks continued trending down in frequency quarter over quarter, but, on average, attack volumes multiplied,” said Shawn Marck, CSO of Black Lotus. “With networks and IT teams becoming defter at spotting and stopping volumetric attacks, cybercriminals are turning to blended approaches to confuse organizations, often using DDoS attacks as smokescreens for other underhanded activity.”

Source: http://www.net-security.org/secworld.php?id=18125

DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DoS Attacks
Short-Duration DDoS Attacks Becoming More Popular
March 24, 2015

Corero’s DDoS Trends and Analysis quarterly report finds that short bursts of attack traffic are an increasingly common form of DDoS attack.

Distributed denial-of-service (DDoS) attacks are often associated with large bursts of attack traffic that last for hours at a time, but that’s not the only type of DDoS attack. In fact, the majority of DDoS attacks in the fourth quarter of 2014 lasted 30 minutes or fewer, a new report from Corero Network Security found.The short-duration DDoS attacks represented 96 percent of attacks against Corero’s customers in that quarter. While the DDoS attacks were short in duration, Corero reported in its DDoS Trends and Analysis quarterly report that its customers saw an average of 3.9 attacks per day. From an attack bandwidth perspective, 79 percent of the DDoS attacks Corero saw in the fourth quarter came in at 5G bps or less.”There is an existing preconception that DDoS is exclusively used to deny service to Web properties or online services,” Dave Larson, CTO and vice president of product at Corero, told eWEEK. “Our data suggests expanding the understanding of the acronym to include degrading and evading the network security layer.”As to why Corero’s customers saw so many short-duration attacks in the fourth quarter, Larson said it is the reason for the attack that defines the timescale. In his view, the short-duration attacks are either masking some other kind of intrusion activity, which can occur within an even shorter timeframe—possibly a couple of seconds—or they are probe events to gauge the responsiveness of an intended target. The short-duration attack could also be an attempt to exploit service issues within the known response times of organizations to DDoS. Larson said that the typical cloud or scrubbing DDoS mitigation techniques take 20 to 30 minutes to detect and move routes.

Corero is not the first vendor to point out that not all DDoS attacks make use of large bandwidth volumes of traffic. Back in 2013, security vendor Arbor pointed out the dangers of low-bandwidth attacks such as the Apache Killer, Slowloris and R-U-Dead-Yet (RUDY). Larson said that his company’s report does not make a distinction among the slow events.

“For now, we think it is important that organizations become aware of the fact that not all low-bandwidth DDoS is a connection occupation/starvation attempt like Slowloris,” he said.In recent years, other DDoS security vendors and the United States Computer Emergency Readiness Team (US-CERT) have pointed out the risks of amplification and reflection attacks that abuse misconfigured Domain Name System (DNS) and Network Time Protocol (NTP) servers. Larson said that Corero has not included amplification and reflection attack data statistics in the current report. That said, he noted that Corero’s plan is to provide analysis of amplification and reflection attacks in the next quarterly report. It is clear that the amplification reflection class of attack is used along a wide spectrum of bandwidth instances, from fairly small sub-saturating events to large-scale, super-saturating multi–100G-bps attacks, he added.In Larson’s view, Corero’s visibility into DDoS is different from other security vendors, due to the deployment and positioning of the DDoS mitigation appliance in the customer network. He explained that Corero’s SmartWall Threat Defense System (TDS) is deployed at the very edge of the customer network or at the Internet peering points as a first line of defense. From that location, the SmartWall TDS is able to inspect all traffic arriving from the Internet and mitigate attacks in real time before the attacks impact the customer environment.

Looking at the rest of 2015, Larson noted that as Corero continues to monitor and protect against DDoS attacks that are targeted toward its customers, the expectation is that attacks will increase in frequency and continue to evolve to circumvent traditional security measures.”DDoS attackers are smart, and they tend to target the lowest hanging fruit, and position their attack attempts to cause the most damage,” Larson said.

Source: http://www.eweek.com/security/short-duration-ddos-attacks-becoming-more-popular.html

DDoS DDoS Attacks DDoS Defense
Chinese anti-censorship group GreatFire.org hit by aggressive DDoS attack
March 23, 2015

A group dedicated to fighting Chinese internet censorship has been hit with an “aggressive brute force” cyberattack for the first time after it was revealed it was helping people in China access banned websites and social media services.

GreatFire.org, which is a run by a group of three activists, aims to monitor the level of internet censorship in China which has become known as the Great Firewall and bans hundreds of websites including Gmail, Facebook, Twitter, YouTube, and most recently Reuters.

The activist group revealed that while it doesn’t know who is behind the attack, the massive distributed denial of service (DDoS) attack coincides with increased pressure on the organisation over the last few months.

“The Cyberspace Administration of China (CAC) publicly called us ‘an anti-China website set up by an overseas anti-China organisation’. We also know that CAC has put pressure on our IT partners to stop working with us. Recently, we noticed that somebody was trying to impersonate us to intercept our encrypted email.”

In a blog post entitled We Are Under Attack, GreatFire.org said that “this kind of attack is aggressive and is an exhibition of censorship by brute force.” According to the group, its mirror sites received up to 2.6 billion requests per hour, which is about 2,500 times more than normal levels.

Access banned websites

The attack came a day after a report in the Wall Street Journal revealed that services such as GreatFire.org, Tor and Lantern were using cloud services to allow people in China to access banned websites.

The system, known as collateral freedom by GreatFire.org, works by sending two requests from a user’s computer. One request is for access to an unbanned website which is unencrypted and seen by the sensors in China. The other is for a banned service (such as Gmail, Facebook, Twitter etc) but is encrypted so the censors cannot see it.

The encrypted request is sent to a cloud service such as Amazon Web Services or Microsoft’s Azure, and it is then either sent to on to the banned website or to a mirror of that site stored in the cloud.

The systems are implemented without the knowledge of companies like Amazon or Microsoft, and the cloud providers are looking to stop them from working as they do not want to be added to the banned list in China, which is an important and growing market in the cloud industry.

GreatFire.org uses Amazon Web Services to host its mirror sites and said that based on the massive level of traffic, it would need to pay $30,000 (£20,200) per day for bandwidth. It has called on supporters to donate to the cause to help keep the service up-and-running.

The group says that it has upgraded to faster servers to handle such attacks and many have urged it to consider getting DDoS protection from a company such as CloudFlare.

Source: https://my.livechatinc.com/visitors/S1427129991.648132fd6c

DDoS DDoS Attacks
Anti-censorship group in China faces DDoS attack
March 19, 2015

An activist group working to end China’s Internet censorship is facing an ongoing distributed denial of service (DDoS) attack that threatens to cripples its activities.

GreatFire.org, a censorship watchdog based within the country, reported on Thursday that it had been hit with its first DDoS attack.

Although it’s not known who is behind the attack, China has been suspected of using the tactic before to take down activist websites.

DDoS attacks work by using an army of hacked computers to send an overwhelming amount of traffic to a website, effectively disabling it.

In an Internet posting, GreatFire said that it was seeing 2.6 billion requests per hour, and that its websites had been forced offline.

“We are not equipped to handle a DDoS attack of this magnitude and we need help,” the group added.

The DDoS attack is targeting mirror websites GreatFire created to let Chinese users access blocked content, such as Google, BBC, the New York Times and other sites known to offer articles critical of the Chinese government.

To create the mirror websites, GreatFire has been using Amazon.com to host them through its cloud services. If the country wanted to cut access to the sites, the government would have to cause “collateral damage” and risk blocking Amazon servers that also support a large number of businesses, according to the group.

GreatFire suspects that the DDoS is in response to a Wall Street Journal article about the group’s use of cloud services to poke holes through China’s censorship.

“Because of the number of requests we are receiving, our bandwidth costs have shot up to US$30,000 per day,” the group said. “Amazon, which is the service we are using, has not yet confirmed whether they will forgo this.”

Amazon did not immediately respond to a request for comment on Thursday.

GreatFire, which is run by an anonymous team, has said the bandwidth costs will “put a significant squeeze” on its operations. The group is asking the public to contact Amazon about supporting GreatFire’s cause.

As for China, the country has always denied carrying out state-sponsored hacking attacks. But in January, authorities blasted GreatFire for alleging that it had launched a cyberattack against Microsoft’s Outlook.com. “This is unprovoked speculation, and purely amounts to disinformation and slander from anti-China forces based abroad,” a government office said at the time.

The office went on to claim that GreatFire had launched unprovoked attacks against the Chinese government, and that it was seeking to incite unrest.

Source: http://www.computerworld.com/article/2899040/anti-censorship-group-in-china-faces-ddos-attack.html