Attacker and accomplice allegedly also launched botnet-driven attacks against eBay and Priceline, then offered to fix the problem.
Application Layer (Layer 7) DDoS Attacks Decline According to Prolexic's Q2 2012 Report July 17, 2012
HOLLYWOOD, FL – (July 17, 2012) – Prolexic Technologies, the global leader in Distributed Denial of Service (DDoS) protection services, today announced that the number of application layer (Layer 7) attacks against its global client base declined in Q2 2012. This is one of a number of key findings contained in the company’s
Quarterly Global DDoS Attack Report, which was released today.
Even though the total number of DDoS denial of service attacks increased 10% this quarter, the Prolexic Security Engineering & Response Team (PLXsert) logged an 8% decline in application layer DDoS attacks, which accounted for 19% of all attacks. Infrastructure attacks (Layer 3 and 4) against bandwidth capacity and routing infrastructurestotaled 81%.
“Q2 data showed a return to traditional infrastructure attacks and is likely a reflection of changing tools for launching DDoS attacks,” said Stuart Scholly, president of Prolexic. “With Layer 7 attacks, the risk of detection and eventual take down by law enforcement increases because these attacks disclose the IP address of the attacking botnet and this may be another reason for their decline this quarter.”
GET Floods, the most popular Layer 7attack type, continued to decline in popularity. In Q2 2011, GET Flood attacks accounted for 22% of all DDoS attack campaigns mitigated by Prolexic. In Q2 2012, GET Flood attacks account for just 14%.
PLXsert also identified a rise in popularity for certain types of infrastructure-directed DDoSattacks: ICMP, SYN, and UDP floods. In Q2 2011, these attack types accounted for 55% of attacks mitigated by Prolexic. In Q1 2012, they accounted for 59% and this quarter, the total percentage has increased to 67%.
Other highlights from the Q2 2012 Global DDoS Attack Report
Compared to Q1 2012
- 10% increase in total number of attacks
- 8% rise in Layer 3 and 4 infrastructure attacks
- Average attack duration declines to 17 hours from 28.5
- China retains its position as the main source country for DDoS attacks
Compared to Q2 2011
- 50% increase in total number of DDoS attacks
- 11% increase in infrastructure (Layer 3 & 4) attacks
- Shorter average attack duration: 17 hours vs. 26 hours
- 63% higher packet-per-second (pps) volume
Analysis and emerging trends
This quarter, DDoS attacks against Prolexic’s global client base were evenly spread across all vertical industries – financial services, e-Commerce, SaaS, payment processing, travel/hospitality, and gaming. “No industry was spared this quarter, illustrating that denial of service is a global, mainstream problem that all online organizations must face,” said Scholly.
In Q2 2012, average attack duration for Prolexic clients continued to decline, dropping to 17 hours from 28.5 hours the previous quarter. “Once DDoS attackers realize they are up against Prolexic’s cloud-based DDoS mitigation infrastructure, they typically move on and choose easier targets where they can have much greater impact,” explained Scholly.
Despite a low number of DDoS attacks in April and May, Q2 2012 was active overall, with the total number of denial of service attacks increasing by 10% compared to Q1 2012. This quarter, June was by far the most active month, accounting for 47% of the quarter’s total number of DDoS attacks. The week of June 3-10 was the most active when PLXsert logged 14% of the entire quarter’s total number of DDoS denial of service attacks.Interestingly, this period of high activity coincided with the beginning of the UEFA Euro 2012 soccer tournament.
As in previous attack reports, China (33%) is the top source country for distributed denial of service attack traffic and this quarter it is joined at the top of the list by Thailand (23%) and the United States (8%).
“While Layer 7 attacks show a slight decline overall, organizations cannot afford to be complacent because you never know when one will strike” warned Scholly. “If your Internet-facing infrastructure is critical to business operations, you’ll need a DDoS mitigation service that can block volumetric infrastructure attacks, but also all application layer attacks, including HTTPS, GET and POST Floods.”
Data for the Q2 2012 report has been gathered and analyzed by the Prolexic Security Engineering & Response Team (PLXsert). The group monitors malicious cyber threats globally and analyzes DDoS attacks using proprietary techniques and equipment. Through data forensics and post attack analysis, PLXsert is able to build a global view of DDoS attacks, which is shared with Prolexic customers. By identifying the sources and associated attributes of individual attacks, the PLXsert team helps organizations adopt best practices and make more informed, proactive decisions about DDoS threats.
A complimentary copy of the Prolexic Quarterly Attack Report for Q2 2012 report is available as a free PDF download from
www.prolexic.com/attackreports.Prolexic’s Q3 2012 report will be released in the fourth quarter of 2012.
About Prolexic
Prolexic is the world’s largest, most trusted Distributed Denial of Service (DDoS) mitigation provider. Able to absorb the largest and most complex attacks ever launched, Prolexic restores mission-critical Internet-facing infrastructures for global enterprises and government agencies within minutes. Ten of the world’s largest banks and the leading companies in e-Commerce, SaaS, payment processing, travel/hospitality, gaming and other at-risk industries rely on Prolexic to protect their businesses. Founded in 2003 as the world’s first in- the-cloud DDoS mitigation platform, Prolexic is headquartered in Hollywood, Florida and has scrubbing centers located in the Americas, Europe and Asia. To learn more about how Prolexic can stop DDoS attacks and protect your business, please visit
www.prolexic.com, follow us on
LinkedIn,
Facebook and
Google+ or follow @Prolexic on
Twitter.
Ref:prolexic
By
Mathew J. Schwartz InformationWeek
July 20, 2012 09:02 AM
Federal authorities announced Thursday that a Russian man accused of launching distributed denial-of-service (DDoS) attacks against Amazon.com has been arrested in Cyprus.
Dmitry Olegovich Zubakha, 25, of Moscow, was busted Wednesday on an international arrest warrant after being indicted in federal court in May 2011 for launching two botnet-driven DDoS attacks against Amazon.com in June 2008, as well as for similar attacks against eBay and Priceline.
"Zubakha is alleged to have mounted a denial of service attack against Amazon on June 6, 2008 and again on June 9, 2008," according to federal prosecutors. "In both instances, the attacks disrupted the ability of customers to access the Amazon site for hours while the company attempted to deal with the attacks from a 'botnet' or web of connected computers."
Authorities said that Zubakha and an unnamed co-conspirator, also Russian, later took credit for their botnet-driven exploits on
underground hacker forums. U.S. Attorney Jenny A. Durkan, who heads the Justice Department's cybercrime and intellectual property enforcement committee, branded the two Russian attackers as "cyber bandits."
[ Even Apple can't keep out hackers. See Apple In-App Store Hacked. ]
Authorities said they'd also traced 28,000
stolen credit card numbers to Zubakha, which they said had been used to
commit identity theft.
"The investigation culminating in the arrest of Dmitry Zubakha by authorities in Cyprus was extremely complex," said James Helminski, special agent in charge of the U.S. Secret Service in Seattle, in a statement. "The apprehension of Zubakha is the result of a concerted effort by the Secret Service, the U.S. Attorney's Office for the Western District of Washington, and the Seattle Police Department. I would also like to commend Amazon.com for its forthrightness and assistance in dealing with this series of computer network attacks which had the potential to adversely impact the company's ability to serve its customers."
Why bother launching DDoS attacks against well-known online properties? According to authorities, the pair created problems which they then offered to solve, for a price. "In one instance a co-conspirator called a victim company, Priceline.com, and offered his services as a consultant to stop the denial of service attack," according to the related indictment, which was unsealed after Zubakha's arrest.
Prosecutors are seeking Zubakha's
extradition from Cyprus to the United States so that he can stand trial on the charges. All told, he has been charged with conspiracy to intentionally cause damage without authorization to a protected computer, two counts of intentionally causing damage to a protected computer--resulting in a loss of more than $5,000--as well as possessing 15 or more unauthorized access devices, and aggravated identity theft over the stolen credit card data he allegedly possessed.
If convicted on all charges,
Zubakha faces up to 37 years in prison and $750,000 in fines.
Distributed denial-of-service attacks can do serious damage. Get ready before you're hit. Also in the new, all-digital Save Your Assets issue of Dark Reading: Next-gen attackers aren't out to steal your money, and your old style of defense isn't going to stop them. (Free registration required.)
Ref;InformationWeek
Ref:yutube
What is a Distributed Denial of Service (DDoS) Attack and What Can I Do About It?
by Larry Rogers
What is a Distributed Denial of Service (DDoS) attack?
Have you ever tried to make a telephone call but couldn't because all the telephone circuits were busy? This may happen on a major holiday and often happens on Mother's Day. In fact, in the United States, telephone companies used to air commercials on television and radio that suggested you avoid peak calling times by making your calls early or late in the day.
The reason you couldn't get through is because the telephone system is designed to handle a limited number of calls at a time. That limit was determined by weighing the cost of having all calls get through all the time with the amount of traffic the system receives. If the total number of calls is always high, it makes economic sense for the telephone company to provide more capacity to match that demand. However, if the number of calls is low compared to the holiday peaks, then the telephone company will build networks that accommodate only the lower off-peak number of callers and advise their customers to avoid peak calling times. It's a basic matter of supply and demand.
Imagine that an intruder wanted to attack the telephone system and make the system unusable by telephone customers. How would they do this? One way would be to make call after call in an attempt to make all circuits busy. This type of attack is called a denial of service, or DoS, attack. In essence, the intruder has caused the telephone system to deny service to its customers. It is not likely that one caller working alone can tie up all telephone circuits. To do that would require making as many calls as possible from as many telephones as possible. This is called a distributed denial of service, or DDoS, attack.
Computer systems can also suffer DoS and DDoS attacks. For example, sending an extraordinary amount of electronic mail to someone could fill the computer disk where mail resides. This means that people who use the computer with the full disk cannot receive any new email until the situation changes. While this is an older style of DoS attack, it is still popular today.
In addition, intruders have turned their efforts toward denying people the services provided by networked computers. Examples of frequently attacked services are the World Wide Web1, file sharing services and, more recently, the Domain Name Service2. Because so many of our computers are connected through the Internet, attacking one of these services can have a significant impact on the whole Internet community. For example, by launching a DoS attack on a popular merchant during a high sales period, the intruder affects not only that merchant, but everyone who is then unable to buy their products.
To deny these services to prospective users of a computer service, intruders run specially written computer programs that send extraordinary volumes of Internet "calls" to one of the computers that provides that service, similar to the way that an intruder can tie up the telephone system.
When a computer answers such a call, most often there's no one on the other end, so answering the call turned out to be a waste of time. Unfortunately, the attacked service cannot tell this in advance, so it has to answer all calls placed to it. Answering each call takes time, and there's only so much time available. It's the supply and demand issue all over again.
In addition, the volume of traffic may be so high that the networks connecting the attacking computers to the victim's computer may also suffer from lower performance. Just like the telephone system and service computers, these networks cannot handle traffic beyond a certain limit. Users wanting services from computers on those networks are denied those services, too. Those networks are also considered victims of a DDoS attack.
How do intruders wage a DDoS attack against a victim's computer?
First, they build a network of computers that will be used to produce the volume of traffic needed to deny services to computer users. We'll call this an attack network.
To build this attack network, intruders look for computers that are poorly secured, such as those that have not been properly patched, or those with out-of-date or non-existent anti-virus software. When the intruders find such computers, they install new programs on the computers that they can remotely control to carry out the attack.
Intruders used to hand-select the computers that made up the attack network. These days, however, the process of building an attack network has been automated through self-propagating programs. These programs automatically find vulnerable computers, attack them, and then install the necessary programs. The process begins again as those newly compromised computers look for still other vulnerable computers. Once a DDoS program has been installed on a computer, that program identifies the computer as a member of the attack network. Because of this self-propagation, large attack networks can be built very quickly. A by-product of the network-building phase is yet another DDoS attack, because searching for other vulnerable computers creates significant traffic as well.
Once an attack network is built, the intruder is ready to attack the chosen victim or victims. Some information security experts believe that many attack networks currently exist and are dormant, passively waiting for the command to launch an attack against a victim's computers. Others believe that once a victim has been identified, the attack network is built and the attack launched soon afterward.
To reduce their chances of being discovered, intruders distribute their attack across computers in different time zones, different legal jurisdictions, and with different systems administrators. Intruders also make the electronic traffic they create appear to be from a computer different from the one that actually created it. This is called IP spoofing, and it is a commonly used method to disguise where an attack is really coming from. If the source of the attack is unknown, it is difficult to stop it, giving intruders free reign with a high likelihood of successfully remaining anonymous.
The MyDoom virus is an example of building such a DDoS attack network. In this case, the attack network was built not through technological vulnerabilities but rather through operational vulnerabilities. Computer system users were coaxed into executing a malicious program that was either sent as an email attachment or as a file downloaded through a Point-To-Point network connection, effectively enrolling their computer system into the attack network. However, instead of remotely controlling the newly installed malicious program as previously described, the intruder designed it to automatically send significant amounts of traffic to www.sco.com3 on February 1, 2004 and www.microsoft.com on February 3, 2004. See Technical Cyber Security Alert TA04-028A for a detailed explanation of MyDoom. This alert also lists steps that can be taken to remove it from an infected computer system.
What can be done about DDoS attacks?
There are no short-term solutions to eliminate DDoS attacks. Today's best practices involve making computers and networks more resilient in the face of an attack. We call this survivability.
All systems have their limits. One way to make a system more survivable is to increase these limits; the more resources there are, the better the chances are that the system will survive an increased demand for use. To increase the telephone system's limits, the telephone company adds more circuits. For a web service, the webmaster might increase the number of connections that a web service can accept; for example, a site could add more web servers. This spreads the increased load over more computers and helps to ensure that no one computer operates too near its limit. The higher the limits of all the potentially affected systems – the network and the computers on that network – the better the chances that network will survive a DDoS attack.
You can do your part to ensure that your computers are never part of a DDoS attack network by following security best practices, such as those in Home Computer Security. Then, be alert to changes in your computer or network performance.
Ask yourself the following questions:
- Are your computers running noticeably slower than usual?
- Is your Internet connection slower than usual?
- Are the activity lights on your high-speed (cable or DSL) modem solid, or on almost all of the time?
Any of these could indicate that your computer system may be a participant in a DDoS attack network. If this happens to you, contact your Internet service provider (ISP) and follow their recommendations. Also, you should strongly consider turning off your computer system or your high speed modem. That will certainly stop the flow of DDoS traffic, though this is only a temporary solution.If your computer system was a participant in a DDoS attack network, your system was compromised, and attack tools were installed on your computer. You'll need to determine what the intruders did and then repair the damage. The article There IS an Intruder in My Computer - What Now? describes how to recover from an intrusion on your home computer.
Distributed denial of service attacks are a significant problem. These attacks will be with us for a while, though there is ongoing research on how to reduce them (see the More reading section below). Until then, DDoS is no (tele)phoney baloney!
More reading
You can find more reading for home users on the CERT web site. If you would like more technical details, you might be interested in reading the following:
Ref;
What is a Distributed Denial of Service (DDoS) Attack and What Can I Do About It?
by Larry RogersWhat is a Distributed Denial of Service (DDoS) attack?
Have you ever tried to make a telephone call but couldn't because all the telephone circuits were busy? This may happen on a major holiday and often happens on Mother's Day. In fact, in the United States, telephone companies used to air commercials on television and radio that suggested you avoid peak calling times by making your calls early or late in the day.
The reason you couldn't get through is because the telephone system is designed to handle a limited number of calls at a time. That limit was determined by weighing the cost of having all calls get through all the time with the amount of traffic the system receives. If the total number of calls is always high, it makes economic sense for the telephone company to provide more capacity to match that demand. However, if the number of calls is low compared to the holiday peaks, then the telephone company will build networks that accommodate only the lower off-peak number of callers and advise their customers to avoid peak calling times. It's a basic matter of supply and demand.
Imagine that an intruder wanted to attack the telephone system and make the system unusable by telephone customers. How would they do this? One way would be to make call after call in an attempt to make all circuits busy. This type of attack is called a denial of service, or DoS, attack. In essence, the intruder has caused the telephone system to deny service to its customers. It is not likely that one caller working alone can tie up all telephone circuits. To do that would require making as many calls as possible from as many telephones as possible. This is called a distributed denial of service, or DDoS, attack.
Computer systems can also suffer DoS and DDoS attacks. For example, sending an extraordinary amount of electronic mail to someone could fill the computer disk where mail resides. This means that people who use the computer with the full disk cannot receive any new email until the situation changes. While this is an older style of DoS attack, it is still popular today.
In addition, intruders have turned their efforts toward denying people the services provided by networked computers. Examples of frequently attacked services are the World Wide Web1, file sharing services and, more recently, the Domain Name Service2. Because so many of our computers are connected through the Internet, attacking one of these services can have a significant impact on the whole Internet community. For example, by launching a DoS attack on a popular merchant during a high sales period, the intruder affects not only that merchant, but everyone who is then unable to buy their products.
To deny these services to prospective users of a computer service, intruders run specially written computer programs that send extraordinary volumes of Internet "calls" to one of the computers that provides that service, similar to the way that an intruder can tie up the telephone system.
When a computer answers such a call, most often there's no one on the other end, so answering the call turned out to be a waste of time. Unfortunately, the attacked service cannot tell this in advance, so it has to answer all calls placed to it. Answering each call takes time, and there's only so much time available. It's the supply and demand issue all over again.
In addition, the volume of traffic may be so high that the networks connecting the attacking computers to the victim's computer may also suffer from lower performance. Just like the telephone system and service computers, these networks cannot handle traffic beyond a certain limit. Users wanting services from computers on those networks are denied those services, too. Those networks are also considered victims of a DDoS attack.
How do intruders wage a DDoS attack against a victim's computer?
First, they build a network of computers that will be used to produce the volume of traffic needed to deny services to computer users. We'll call this an attack network.
To build this attack network, intruders look for computers that are poorly secured, such as those that have not been properly patched, or those with out-of-date or non-existent anti-virus software. When the intruders find such computers, they install new programs on the computers that they can remotely control to carry out the attack.
Intruders used to hand-select the computers that made up the attack network. These days, however, the process of building an attack network has been automated through self-propagating programs. These programs automatically find vulnerable computers, attack them, and then install the necessary programs. The process begins again as those newly compromised computers look for still other vulnerable computers. Once a DDoS program has been installed on a computer, that program identifies the computer as a member of the attack network. Because of this self-propagation, large attack networks can be built very quickly. A by-product of the network-building phase is yet another DDoS attack, because searching for other vulnerable computers creates significant traffic as well.
Once an attack network is built, the intruder is ready to attack the chosen victim or victims. Some information security experts believe that many attack networks currently exist and are dormant, passively waiting for the command to launch an attack against a victim's computers. Others believe that once a victim has been identified, the attack network is built and the attack launched soon afterward.
To reduce their chances of being discovered, intruders distribute their attack across computers in different time zones, different legal jurisdictions, and with different systems administrators. Intruders also make the electronic traffic they create appear to be from a computer different from the one that actually created it. This is called IP spoofing, and it is a commonly used method to disguise where an attack is really coming from. If the source of the attack is unknown, it is difficult to stop it, giving intruders free reign with a high likelihood of successfully remaining anonymous.
The MyDoom virus is an example of building such a DDoS attack network. In this case, the attack network was built not through technological vulnerabilities but rather through operational vulnerabilities. Computer system users were coaxed into executing a malicious program that was either sent as an email attachment or as a file downloaded through a Point-To-Point network connection, effectively enrolling their computer system into the attack network. However, instead of remotely controlling the newly installed malicious program as previously described, the intruder designed it to automatically send significant amounts of traffic to www.sco.com3 on February 1, 2004 and www.microsoft.com on February 3, 2004. See Technical Cyber Security Alert TA04-028A for a detailed explanation of MyDoom. This alert also lists steps that can be taken to remove it from an infected computer system.
What can be done about DDoS attacks?
There are no short-term solutions to eliminate DDoS attacks. Today's best practices involve making computers and networks more resilient in the face of an attack. We call this survivability.
All systems have their limits. One way to make a system more survivable is to increase these limits; the more resources there are, the better the chances are that the system will survive an increased demand for use. To increase the telephone system's limits, the telephone company adds more circuits. For a web service, the webmaster might increase the number of connections that a web service can accept; for example, a site could add more web servers. This spreads the increased load over more computers and helps to ensure that no one computer operates too near its limit. The higher the limits of all the potentially affected systems – the network and the computers on that network – the better the chances that network will survive a DDoS attack.
You can do your part to ensure that your computers are never part of a DDoS attack network by following security best practices, such as those in Home Computer Security. Then, be alert to changes in your computer or network performance.
Ask yourself the following questions:
- Are your computers running noticeably slower than usual?
- Is your Internet connection slower than usual?
- Are the activity lights on your high-speed (cable or DSL) modem solid, or on almost all of the time?
Any of these could indicate that your computer system may be a participant in a DDoS attack network. If this happens to you, contact your Internet service provider (ISP) and follow their recommendations. Also, you should strongly consider turning off your computer system or your high speed modem. That will certainly stop the flow of DDoS traffic, though this is only a temporary solution.If your computer system was a participant in a DDoS attack network, your system was compromised, and attack tools were installed on your computer. You'll need to determine what the intruders did and then repair the damage. The article There IS an Intruder in My Computer - What Now? describes how to recover from an intrusion on your home computer.
Distributed denial of service attacks are a significant problem. These attacks will be with us for a while, though there is ongoing research on how to reduce them (see the More reading section below). Until then, DDoS is no (tele)phoney baloney!
More reading
You can find more reading for home users on the CERT web site. If you would like more technical details, you might be interested in reading the following:
Ref:cert.org |
|
No comments:
Post a Comment