Spamhaus hit with largest DDoS Ever Recorded – More than 300 Gps

Akamai Spamhaus DDOS Stats
Current Global Attacks according to Akamai.com

Internet Spam fighting organization Spamhaus with the help of CloudFlare has recovered from the largest Distibuted Denial of Service attack ever reported. The attacks that started at 10Gbs on the 18th rapidly increased in the last week until they hit an unprecedented volume of 300 Gps!

Spamhaus tracks internet spammers and works with law enforcement to help shut them down. Apparently some bad guys didn’t like this and attacked their website with a 10 Gbs DDoS stream of traffic knocking them offline. Spamhaus turned to the popular website security company Cloudflare for help.

Cloudflare was able to deflect the attacks which according to Cloudflare’s blog ramped up to 120 Gbs on the 21st. Then the attackers stopped the attack and then tried something they had not seen before. The attackers turned their DDoS against the upstream providers for Cloudflare with attacks ranging up to 300 Gps, forcing Cloudflare to temporarily drop peering for London:

Cloudflare Spamhaus Twitter Post

The attacks effected worldwide website traffic according to an article today on Foxnews. “If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why,” said Matthew Prince, CEO of CloudFlare.

Spamhaus is up and running today. But a quick look at Akamai.com shows that global attacks are still elevated (See image at top of post).

Advertisements

Distributed Denial of Service (DDoS) Attacks Explained

Cross Posted from iElmira.com. This is a copy of an article I did for iElmira’s tech forum.
  
You may have heard about the DDoS attacks that have shutdown many websites during the Wikileaks kerfuffle. But what is a DDoS attack anyways?

Well, simply put, in a denial of service attack, the attacker sends repeated messages to a target website with such frequency, that the website can not keep up and slows to a crawl, in effect taking it offline.

Well, this works great for small websites, but larger websites are hosted on several computers and use a round robin DNS type resolution, so that multiple machines appear as one site. These can handle a lot more traffic so a different tactic is needed.

Attackers will usually use zombie machines that they have infected with a virus (also called ‘bots’) to work together to attack a single site. Sometimes hundreds and even thousands of systems are used in this matter. (keep your system and anti-virus updated! 🙂  ) The website is hit with so many requests that it bogs them down to the point where they can no longer respond. This is called a Distributed Denial of Service Attack.

Most of the “hacktivists” involved with the Wikileaks DDoS attacks are using these DDoS attacks to shutdown each others websites. The hacktivists are receiving a lot of flack from the computer security “experts” for using these old style attacks (Kinda doesn’t make sense, because they do seem to be working).

For you see there is a newer, much more effecient method of Denial of Service attack called “Layer 7 DoS”. In this level of attack, instead of flooding a server with thousands of message packets, the actual webserver application itself is attacked. Partial request are opened with the server, but never finished. This leaves the server in a waiting state. It only takes a very few of these requests to bog down a server and take it offline.

In a Layer 7 Denial of service attack, a single attacker could take almost any single website down at will. They literally act like an on/off switch. The Jester used such a program he created called “Xerxes” to take wikileaks offline the first day of the latest release. I have seen a different Layer 7 DoS program run and it is brutally effective.

The scary part is that these have existed for quite a while now, and because they attack a function of webservers, neither Apache or microsoft have moved to fix them. That is the official word though, to truly fix the issue would probably require major rewrites and they are not willing to do that at this point. You will probably see these issues addressed in the next releases of Apache and IIS.

Cyber Arms Intelligence Report for 12/13/10

The biggest story this week is still Wikileaks. Okay let’s start with the latest DDoS targets. After a flood of DDoS attacks, a 16 year old kid was arrested by Dutch police. So, unbelievably the Dutch police come under attack:

Dennis Janus, a spokesman for the National Police Service confirmed that both the police website, and that of the National Prosector’s Office had been offline for much of the day, with many theorising that the likely reason is a distributed denial-of-service (DDoS) attack similar to that which was launched against Mastercard, PayPal and other firms.

What has been crazy is the DDoS and counter DDoS attacks seem to have no end in sight. One hacking group “Anonymous” is offering its DDoS tool (LOIC) and asking for volunteers to jump in and help. Apparently the 16 year old that was arrested may have been using LOIC and wouldn’t you know; LOIC attacks are not anonymous. They can be tracked back to the attacker.

It does make one wonder though if the government is involved with any of these attacks. Not sure, but one site does claim that the CIA is hosting one of the Wikileaks mirror sites as a honeypot.

We have even seen a casualty of mistaken identity in this DDoS war as a company that was not even involved at all gets taken down. EasyDNS was mistakenly reported by media outlets as the company that knocked Wikileaks offline. When in reality it was a company called EveryDNS. I wonder if the hackers, after recognizing the mistake apologized?

Well, Wikileaks hasn’t come out of this mess unscathed. According to an article on CNN, it looks like there is mutiny in the ranks. A group has broken off of Wikileaks and created a new whistleblower site called “openleaks.org” and will launch today:

“It has weakened the organization,” one of those founders, Daniel Domscheit-Berg says in a documentary airing Sunday night on Swedish television network SVT. He said WikiLeaks has become “too much focused on one person, and one person is always much weaker than an organization.”

But it looks like they are not the only group breaking up with the Wikileaks fiasco. It appears the members of the hacking group “Anonymous” are starting to turn on each other too. A Sydney based Anonymous  member had some colorful comment about fellow members:

He said that, rather than being full-blown hackers, the Anonymous members were “script kiddies” who only knew how to download the LOIC program and run it.”They’re very unprofessional, illogical and irrational and very much their actions are based upon emotions,” he said.

So apparently, LOIC is just a simple DDoS tool and many members have very little technical experience. They are just running the program. Thank goodness they aren’t using the much more efficient layer 7 DDoS attacks(OWASP PDF file).

In other news, even though Iran says they are A-OK after Stuxnet attack, computer security experts beg to differ:

Eric Byres, a computer expert who has studied the worm, said his site was hit with a surge in traffic from Iran, meaning that efforts to get the two nuclear plants to function normally have failed. The web traffic, he says, shows Iran still hasn’t come to grips with the complexity of the malware that appears to be still infecting the systems at both Bashehr and Natanz.

Okay, they are still infected, what will it take to finally get rid of all traces of Stuxnet? German security expert Ralph Langner had this to say:

“Here is their problem. They should throw out every personal computer involved with the nuclear program and start over, but they can’t do that. Moreover, they are completely dependent on outside companies for the construction and maintenance of their nuclear facilities. They should throw out their computers as well. But they can’t,“ he explained. “They will just continually re-infect themselves.”

“With the best of expertise and equipment it would take another year for the plants to function normally again because it is so hard to get the worm out. It even hides in the back-up systems. But they can’t do it,” he said.

Well, whoever was behind Stuxnet, it looks like they have done an amazing job of tying up and maybe even neutralizing the Iranian Nuclear plants. It also makes one wonder how prepared are other facilities to defend against threats like Stuxnet?

And lastly, a nasty new Botnet has been detected by ShadowServer. The Destination Darkness Outlaw System or “Darkness” is easy to purchase, easy to deploy, and is very effective and efficient in what it does. Darkness works against Windows 95- Windows 7 clients, runs as a Windows service and uses varying levels of bots to shut down target networks.

According to Shadowserver, 30 bots can overwhelm an average site, 300 bots a medium size site, 1000 bots a large site, 5000 a cluster even when using anti-ddos, and 15-20 thousand bots could theoretically bring down the Russian version of Facebook.

Other Top Security Stories from around the Web:

Cybersecurity Must Balance ‘Need to Know’ and ‘Need to Share’ – Robert J. Butler said sharing information within the military, with coalition partners and even with outside agencies will continue, but there will be more controls placed on the information.

NATO Works to Set Right Cyber Balance – “I could envision within the NATO alliance an operational command that focuses on cyber,” he said. “At the moment, that work is imbedded in several of the NATO agencies. But I think we are seeing this as an operational task, so I will be advocating putting more of this on the operational side.”

Army’s plan to modernize intell rides on the cloud – The Army’s efforts to enlist cloud computing to modernize its intelligence capabilities is in step with similar efforts across the military services.

NASA sold computers without properly scrubbing them, IG says – A NASA inspector general’s audit found that the agency had released to the public 10 computers that had not had their memories wiped. Nine of them might have contained highly sensitive data.

NIST Announces SHA-3 Hash Function Finalists – The SHA-3 finalists include Skein, developed by a group including Bruce Schneier and Jon Callas.