A new campaign has been discovered that uses XorDDoS Trojan, which affects Linux systems and devices, turning them into zombies that can be controlled by threat actors remotely.
Moreover, these compromised systems can later be used for DDoS(Distributed Denial-of-Service) attacks.
Comparing this current campaign with the campaign conducted in 2022, there was only one change found, which was the configuration of the C2 hosts.
However, the attacking domains were still unchanged. The threat actors seem to have migrated their offensive infrastructure to hosts running on legitimate public hosting services.
Additionally, with respect to the 2022 campaign, many security vendors have already classified the C2 domains as malicious and barred them but still the current active malware traffic is being directed to new IPs.
As part of the initial access vector, the threat actors scanned for hosts with HTTP service, vulnerable to directory traversal attacks that can enable access to arbitrary files on the server.
Threat actors specifically targeted the /etc/passwd file to read passwords. However, since the file has only encrypted passwords, they were forced to gain initial access through SSH brute-force attacks. Once they gained access, they downloaded malware from remote servers and owned the system.
XorDDoS Infects Linux Devices
XorDDoS Trojan uses an XOR encryption key (BB2FA36AAA9541F0) to encrypt all the execution-related data which are then decrypted using a decryption function. Once the malware is activated on the victim machine, it retrieves essential information such as /var/run/gcc.pid, the OS version, malware version, memory status, and CPU information.
The malware also used the decrypt_remotestr() function to decrypt the C2 domains embedded inside the executable. The C2 endpoints are,
ppp.gggatat456[.]com:53
ppp.xxxatat456[.]com:53
p5.dddgata789[.]com:53
P5.lpjulidny7[.]com:53
C2 decryption function (Source: Palo Alto Unit42)
Persistence
As a means of persistence, the malware creates scheduled autorun tasks, which will run every three minutes, along with an autorun service configured during startup.
Detection evasion is achieved by turning its process into a background service that can disguise itself as a legitimate process.
C2 Network Infrastructure
A list of C2 domains that were registered and used by the threat actors is as follows:
Furthermore, a comprehensive report about this new campaign and the trojan has been published by Unit42 of Palo Alto, which provides detailed information about the campaign, code analysis, obfuscation techniques, and other information.
In a recent disclosure, BIND 9, a widely-used DNS (Domain Name System) server software, has been found vulnerable to two critical security flaws, labeled CVE-2023-4236 and CVE-2023-3341.
These vulnerabilities, if exploited, could have serious consequences, making it imperative for users to take swift action.
This vulnerability arises from a flaw in the networking code responsible for handling DNS-over-TLS queries in BIND 9.
Under high DNS-over-TLS query load, an internal data structure is incorrectly reused, leading to an assertion failure. Consequently, a vulnerable named instance may terminate unexpectedly.
Thankfully, this flaw does not affect DNS-over-HTTPS code, as it employs a distinct TLS implementation. However, for those relying on DNS-over-TLS, the impact can be severe.
The second critical vulnerability, CVE-2023-3341, relates to the control channel code within BIND 9.
This flaw allows attackers to exploit a stack exhaustion issue by sending specially crafted messages over the control channel.
This can lead to names unexpectedly terminating, causing potential disruption.
Notably, the attack is effective in environments with limited stack memory available to each process or thread, making it difficult to predict its impact.
For users of BIND 9, immediate action is necessary to address these vulnerabilities. ISC (Internet Systems Consortium), the organization behind BIND, has provided solutions to mitigate these risks.
For CVE-2023-4236:
– Upgrade to BIND 9.18.19 or BIND Supported Preview Edition 9.18.19-S1.
– Consider disabling DNS-over-TLS connections if not required.
For CVE-2023-3341:
– Upgrade to BIND 9.16.44, 9.18.19, or 9.19.17, depending on your current version.
– Ensure that control-channel connections are limited to trusted IP ranges when enabling remote access.
No active exploits have been reported for these vulnerabilities. However, proactive measures are crucial to safeguard your systems against potential threats.
ISC extends its gratitude to the individuals who responsibly reported these vulnerabilities.
Robert Story from the USC/ISI DNS root server operations team brought CVE-2023-4236 to ISC’s attention, while Eric Sesterhenn from X41 D-Sec GmbH identified CVE-2023-3341.
Distributed denial of service (DDoS) events occur when a threat actor sends traffic floods from multiple sources to disrupt the availability of a targeted application. DDoS simulation testing uses a controlled DDoS event to allow the owner of an application to assess the application’s resilience and practice event response. DDoS simulation testing is permitted on Amazon Web Services (AWS), subject to Testing policy terms and conditions. In this blog post, we help you understand when it’s appropriate to perform a DDoS simulation test on an application running on AWS, and what options you have for running the test.
DDoS protection at AWS
Security is the top priority at AWS. AWS services include basic DDoS protection as a standard feature to help protect customers from the most common and frequently occurring infrastructure (layer 3 and 4) DDoS events, such as SYN/UDP floods, reflection attacks, and others. While this protection is designed to protect the availability of AWS infrastructure, your application might require more nuanced protections that consider your traffic patterns and integrate with your internal reporting and incident response processes. If you need more nuanced protection, then you should consider subscribing to AWS Shield Advanced in addition to the native resiliency offered by the AWS services you use.
AWS Shield Advanced is a managed service that helps you protect your application against external threats, like DDoS events, volumetric bots, and vulnerability exploitation attempts. When you subscribe to Shield Advanced and add protection to your resources, Shield Advanced provides expanded DDoS event protection for those resources. With advanced protections enabled on your resources, you get tailored detection based on the traffic patterns of your application, assistance with protecting against Layer 7 DDoS events, access to 24×7 specialized support from the Shield Response Team (SRT), access to centralized management of security policies through AWS Firewall Manager, and cost protections to help safeguard against scaling charges resulting from DDoS-related usage spikes. You can also configure AWS WAF (a web application firewall) to integrate with Shield Advanced to create custom layer 7 firewall rules and enable automatic application layer DDoS mitigation.
Acceptable DDoS simulation use cases on AWS
AWS is constantly learning and innovating by delivering new DDoS protection capabilities, which are explained in the DDoS Best Practices whitepaper. This whitepaper provides an overview of DDoS events and the choices that you can make when building on AWS to help you architect your application to absorb or mitigate volumetric events. If your application is architected according to our best practices, then a DDoS simulation test might not be necessary, because these architectures have been through rigorous internal AWS testing and verified as best practices for customers to use.
Using DDoS simulations to explore the limits of AWS infrastructure isn’t a good use case for these tests. Similarly, validating if AWS is effectively protecting its side of the shared responsibility model isn’t a good test motive. Further, using AWS resources as a source to simulate a DDoS attack on other AWS resources isn’t encouraged. Load tests are performed to gain reliable information on application performance under stress and these are different from DDoS tests. For more information, see the Amazon Elastic Compute Cloud (Amazon EC2) testing policy and penetration testing. Application owners, who have a security compliance requirement from a regulator or who want to test the effectiveness of their DDoS mitigation strategies, typically run DDoS simulation tests.
DDoS simulation tests at AWS
AWS offers two options for running DDoS simulation tests. They are:
A simulated DDoS attack in production traffic with an authorized pre-approved AWS Partner.
A synthetic simulated DDoS attack with the SRT, also referred to as a firedrill.
The motivation for DDoS testing varies from application to application and these engagements don’t offer the same value to all customers. Establishing clear motives for the test can help you choose the right option. If you want to test your incident response strategy, we recommend scheduling a firedrill with our SRT. If you want to test the Shield Advanced features or test application resiliency, we recommend that you work with an AWS approved partner.
DDoS simulation testing with an AWS Partner
AWS DDoS test partners are authorized to conduct DDoS simulation tests on customers’ behalf without prior approval from AWS. Customers can currently contact the following partners to set up these paid engagements:
Before contacting the partners, customers must agree to the terms and conditions for DDoS simulation tests. The application must be well-architected prior to DDoS simulation testing as described in AWS DDoS Best Practices whitepaper. AWS DDoS test partners that want to perform DDoS simulation tests that don’t comply with the technical restrictions set forth in our public DDoS testing policy, or other DDoS test vendors that aren’t approved, can request approval to perform DDoS simulation tests by submitting the DDoS Simulation Testing form at least 14 days before the proposed test date. For questions, please send an email to aws-ddos-testing@amazon.com.
After choosing a test partner, customers go through various phases of testing. Typically, the first phase involves a discovery discussion, where the customer defines clear goals, assembles technical details, and defines the test schedule with the partner. In the next phase, partners run multiple simulations based on agreed attack vectors, duration, diversity of the attack vectors, and other factors. These tests are usually carried out by slowly ramping up traffic levels from low levels to desired high levels with an ability for an emergency stop. The final stage involves reporting, discussing observed gaps, identifying actionable tasks, and driving those tasks to completion.
These engagements are typically long-term, paid contracts that are planned over months and carried out over weeks, with results analyzed over time. These tests and reports are beneficial to customers who need to evaluate detection and mitigation capabilities on a large scale. If you’re an application owner and want to evaluate the DDoS resiliency of your application, practice event response with real traffic, or have a DDoS compliance or regulation requirement, we recommend this type of engagement. These tests aren’t recommended if you want to learn the volumetric breaking points of the AWS network or understand when AWS starts to throttle requests. AWS services are designed to scale, and when certain dynamic volume thresholds are exceeded, AWS detection systems will be invoked to block traffic. Lastly, it’s critical to distinguish between these tests and stress tests, in which meaningful packets are sent to the application to assess its behavior.
DDoS firedrill testing with the Shield Response Team
Shield Advanced service offers additional assistance through the SRT, this team can also help with testing incident response workflows. Customers can contact the SRT and request firedrill testing. Firedrill testing is a type of synthetic test that doesn’t generate real volumetric traffic but does post a shield event to the requesting customer’s account.
These tests are available for customers who are already on-boarded to Shield Advanced and want to test their Amazon CloudWatch alarms by invoking a DDoSDetected metric, or test their proactive engagement setup or their custom incident response strategy. Because this event isn’t based on real traffic, the customer won’t see traffic generated on their account or see logs that drive helpful reports.
These tests are intended to generate associated Shield Advanced metrics and post a DDoS event for a customer resource. For example, SRT can post a 14 Gbps UDP mock attack on a protected resource for about 15 minutes and customers can test their response capability during such an event.
Note: Not all attack vectors and AWS resource types are supported for a firedrill. Shield Advanced onboarded customers can contact AWS Support teams to request assistance with running a firedrill or understand more about them.
Conclusion
DDoS simulations and incident response testing on AWS through the SRT or an AWS Partner are useful in improving application security controls, identifying Shield Advanced misconfigurations, optimizing existing detection systems, and improving incident readiness. The goal of these engagements is to help you build a DDoS resilient architecture to protect your application’s availability. However, these engagements don’t offer the same value to all customers. Most customers can obtain similar benefits by following AWS Best Practices for DDoS Resiliency. AWS recommends architecting your application according to DDoS best practices and fine tuning AWS Shield Advanced out-of-the-box offerings to your application needs to improve security posture.
Forescout Vedere Labs recently highlighted the neglected BGP security aspect – software implementation vulnerabilities.
FRRouting’s BGP message parsing vulnerabilities discovered by Forescout Vedere Labs could enable attackers to trigger a DoS state on susceptible BGP peers.
Major networking vendors depend on software suites that implement BGP, which are widely used online.
What is BGP?
The internet’s primary routing protocol is BGP, and large data centers frequently use BGP for internal traffic routing, while BGP extensions like MP-BGP are extensively implemented for MPLS L3 VPNs.
Organizations should avoid relying solely on their Internet Service Providers (ISPs) to ensure BGP security. It appears that attackers can still exploit easily accessible vulnerabilities in current BGP implementations.
By enabling the exchange of routing and reachability information, BGP facilitates the interaction of autonomous systems (ASes), which are sets of leased IP addresses allocated to organizations by registrars for a specific period.
A BGP failure may make an AS unreachable, as others cannot route packets. A threat actor may abuse a BGP setting to reroute network traffic in an unintentional direction.
Vulnerabilities
An analysis was conducted by security analysts using both manual analysis methods and fuzzing techniques to assess the following seven popular BGP implementations:-
FRRouting (Open-source)
BIRD (Open-source)
OpenBGPd (Open-source)
Mikrotik RouterOS (Closed-source)
Juniper JunOS (Closed-source)
Cisco IOS (Closed-source)
Arista EOS (Closed-source)
Analysts discovered three previously unknown vulnerabilities in Free Range Routing (FRRouting) version 8.4, released November 7th, 2022.
Here below, we have mentioned the complete flaw profile of the detected vulnerabilities:-
Description: Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option. This is a different issue from CVE-2022-40302.
Description: Out-of-bounds read when processing a malformed BGP OPEN message that abruptly ends with the option length octet (or the option length word, in case of OPEN with extended option lengths message).
CVSSv3.1: 6.5
Potential Impact: DoS
In 2016, FRRouting was created by developers from multiple commercial organizations by forking Quagga, another open-source project. FRRouting is now employed by major vendors, including nVidia Cumulus, and utilized by large organizations like:-
PayPal
Yahoo
Dutch National Police
While apart from this, Amazon supports DENT, and Microsoft supports SONiC, which is employed in some routers from Juniper.
In the case of repeated sending of malformed packets, the DoS condition can last indefinitely. Almost 1,000 of the 330,000 internet-enabled hosts with BGP enabled to respond to uninvited BGP OPEN messages.
It should be noted that most of the BGP hosts reside in the following countries:-
China (close to 100,000)
The US (50,000)
The UK (16,000)
A new open-source tool has been released (https://github.com/Forescout/bgp_boofuzzer/) by cybersecurity researchers for organizations to assess the security of their internally used BGP suites. Further, this tool can be used to discover new vulnerabilities in BGP implementations by cybersecurity researchers.
There are several scripts available with the tool to demonstrate how it can be used for testing the vulnerabilities found and testing the concept cases for:-
BGP OPEN
UPDATE
ROTE REFRESH
NOTIFICATION messages
Recommendation
Patching network infrastructure devices frequently is the most effective recommendation to minimize the risks associated with vulnerable BGP implementations like the ones discovered in FRRouting.
Maintaining an updated asset inventory that monitors the networking devices and software versions running on them is crucial to achieving this objective.
Akamai reported that on February 23, 2023, at 10:22 UTC, it mitigated the largest DDoS attack ever. The attack traffic peaked at 900.1 gigabits per second and 158.2 million packets per second. The record-breaking DDoS was launched against a Prolexic customer in Asia-Pacific (APAC).
“On February 23, 2023, at 10:22 UTC, Akamai mitigated the largest DDoS attack ever launched against a Prolexic customer based in Asia-Pacific (APAC), with attack traffic peaking at 900.1 gigabits per second and 158.2 million packets per second.” reads the post published by Akamai.
The company pointed out that the attack was intense and short-lived, with most attack traffic bursting during the peak minute of the attack. The overall attack lasted only a few minutes.
Akamai mitigated the attack by redirecting the malicious traffic through its scrubbing network.
Most of the malicious traffic (48%) was managed by scrubbing centers in the APAC region, but the company claims that all its 26 centers were loaded, with only one center in HKG handling 14,6% of the total traffic.
Akamai states that there was no collateral damage thanks to its defense.
The previous record-breaking distributed denial of service attack mitigated by Akamai hit a company customer in Europe on September 2022. At the time, the malicious traffic peaked at 704.8 Mpps and appeared to originate from the same threat actor behind another record-breaking attack that Akamai blocked in July and that hit the same customer.
In January, Microsoft announced that its Azure DDoS protection platform has mitigated a record 3.47 Tbps attack that targeted one of its customers with a packet rate of 340 million packets per second (pps).
The attack took place in November and hit a customer in Asia, it originated from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan.
The 3.47 Tbps attack was the largest one Microsoft has mitigated to date, likely the massive one ever recorded.
The number of DDoS attacks we see around the globe is on the rise, and that trend is likely to continue throughout 2023, according to Corero. We expect to see attackers deploy ever higher rate request-based or packets-per-second attacks.
“DDoS attacks have historically focused around sending packets of large sizes with the aim to paralyze and disrupt the internet pipeline by exceeding the available bandwidth. Recent request-based attacks, however, are sending smaller size packets, to target higher transaction processing to overwhelm a target. Those with responsibility for network health and internet service uptime should be taking note of this trend,” explained Corero CTO, Ashley Stephenson.
Legal responsibility
Corero also predicts that 2023 will see more breaches being reported, because of the increasing trend for transparency in data protection regulations. Regulations such as the UK Government’s Telecoms Security Bill will compel organizations to disclose more cyber-incidents publicly.
We are also likely to see the legal responsibility for bad corporate behaviour when dealing with breaches being linked to individual executives. Examples such as Joe Sullivan, the former head of security at Uber, who was recently found guilty of hiding a 2016 breach, could set a precedent for linking data protection decisions to the personal legal accountability of senior executives.
Evading DDoS defenses
Attackers will continue to make their mark in 2023 by trying to develop new ways to evade legacy DDoS defenses. We saw Carpet Bomb attacks rearing their head in 2022 by leveraging the aggregate power of multiple small attacks, designed specifically to circumvent legacy detect-and-redirect DDoS protections or neutralize ‘black hole’ sacrifice-the-victim mitigation tactics. This kind of cunning will be on display as DDoS attackers look for new ways of wreaking havoc across the internet and attempt to outsmart existing thinking around DDoS protection.
In 2023, the cyberwarfare that we have witnessed with the conflict in Ukraine will undoubtedly continue. DDoS will continue to be a key weapon in the Ukrainian and other conflicts both to paralyse key services and to drive political propaganda objectives. DDoS attack numbers rose significantly after the Russian invasion in February and DDoS continues to be used as an asymmetric weapon in the ongoing struggle.
Earlier this year, in other incidents related to the conflict, DDoS attackers attempted to disrupt the Eurovision song contest in an attempt to frustrate the victory of the Ukrainian contestants. Similarly, when Elon Musk showed support for Ukraine by providing Starlink satellite broadband services, DDoS attackers tried to take the satellite systems offline and deny Ukraine much needed internet services.
“Throughout 2022 we observed DDoS attacks becoming increasingly sophisticated while at the same time the DDoS attack surface is expanding. With the number of recorded attacks on the rise and significant shifts in attackers’ motives and goals, 2023 will require organizations to ensure they have robust DDoS defense in place,” said Lionel Chmilewsky, CEO at Corero Network Security.
KmsdBot Botnet Leverages SSH to Compromise Systems and to Launch DDoS Attacks
Researchers from Akamai have continued to study the cryptomining botnet KmsdBot and have looked at its attack flow. It is believed that KmsdBot is a distributed denial of service (DDoS) for hire due to the wide range of companies and regions that were attacked.
“We have continued to analyze and play around with KmsdBot, including modifying the binary and pointing it at our own command and control (C2), which led to us watching the threat actor crash the botnet”, Akamai researchers
Among the major targets were luxury brands and security companies, as well as the game modifications Grand Theft Auto V and Red Dead Redemption 2 and FiveM and RedM.
Asia, North America, and Europe represent the majority of the victims, according to observed IPs and domains.
Launch DDoS Attacks
While analyzing the attack traffic, the first noteworthy attack is referred to as “bigdata” and makes 1 Mb POST requests to the designated port. The payload looks to be garbage even though the Content-Type header says it is URL-encoded.
Researchers say this attack attempts to increase the amount of bandwidth needed to process each request by sending a lot of data in the body of each request. Hence, this is one of the most often used functionalities for this botnet and is a fairly basic feature that almost all DDoS campaigns use.
Also, the TCP protocol’s three-way handshake can be abused by the attacker by utilizing an SYN flood to create half-open connections on several ports.
This makes it difficult for the target server to handle the volume of traffic and makes it much more difficult for it to discriminate between malicious and legitimate connection requests.
Instead of concentrating on the overall effect of the size of the single packet, there were also some standard HTTP(s) POST and traffic instructions that blend in with standard traffic by closely resembling a normal packet in both size and format.
Here the basic goal of HTTP-based attacks is to send out a lot of packets, which makes it difficult to identify them from legitimate traffic and block them while defending against an attack.
“After observing this traffic for some time, we can see that after hitting a certain specified packet size, it will start back at a smaller size and grow again, repeating this process over and over”, explains researchers.
Targets Gaming, Luxury Brands, and Even Security Companies
The platforms FiveM and RedM, which are used to host modified “Grand Theft Auto V” and “Red Dead Redemption 2” servers, let server owners make new rules and add new elements to the server that wasn’t in the standalone game.
“A large concentration of targets was located in Asia, North America, and Europe based on the observed IPs and domains”, Akamai
KmsdBot, was intriguing for a few notable reasons: It was written in Go, it had cryptomining functionality, and it had seemingly erratic targets.
Akamai researchers noticed that KmsdBot follows some of the general tendencies, especially in terms of the language used. Malicious code is rapidly being created in a variety of languages, including Go and even compiled Python.
Cybersecurity company Imperva announced to have mitigated a distributed denial-of-service (DDoS) attack with a total of over 25.3 billion requests.
Cybersecurity firm Imperva mitigated a DDoS attack with over 25.3 billion requests on June 27, 2022. According to the experts, the attack marks a new record for Imperva’s application DDoS mitigation solution.
The attack targeted an unnamed Chinese telecommunications company and outstands for its duration, it lasted more than four hours and peaked at 3.9 million RPS.
“On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution” reads the announcement. “While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.”
The Chinese telecommunications company was already targeted by large attacks in the past, and experts added that two days later a new DDoS attack hit its website, although the attack was shorter in duration.
The average rate for this record-breaking attack was 1.8 million RPS. Threat actors used HTTP/2 multiplexing, or combining multiple packets into one, to send multiple requests at once over individual connections.
The technique employed by the attackers is difficult to detect and can bring down targets using a limited number of resources.
“Since our automated mitigation solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS.” continues Imperva.
This specific attack was launched botnet composed of almost 170,000 different IPs, including routers, security cameras and compromised servers. The compromised devices are located in over 180 countries, most of them in the US, Indonesia, and Brazil.
On Monday, September 12, 2022, Akamai mitigated the largest DDoS attack ever that hit one of its European customers. The malicious traffic peaked at 704.8 Mpps and appears to originate from the same threat actor behind the previous record that Akamai blocked in July and that hit the same customer.
On Monday, 12th September 2022, cybersecurity firm Akamai mitigated a distributed denial of service attack (DDoS Attack), which has been declared a record-breaking attack in terms of packets-per-second compared to the attack Akamai recorded in July.
For your information, cybercriminals bombard servers with fake requests and traffic to prevent legit visitors from accessing their services in a DDoS attack.
The primary targets of the attack Akamai recorded recently were European companies. It peaked at 704.8 million packets per second, marking the second attack on such a massive scale against the same customer within a short span of three months.
According to Akamai’s Craig Sparling, prior to June 2022, this customer only saw attack traffic against its primary data center. However, unexpectedly, the attack campaign expanded, hitting six different global locations, from Europe to North America.
Akamai Prolexic’s DDoS specialization culture, focus on customer infrastructure designs, and history are rooted in defending the most complex, multifaceted attacks, and our platform is equipped with purpose-built tooling for rapid threat mitigation, even in the ‘fog of war.
Sean Lyons, Senior Vice President and General Manager of Infrastructure Security
The attack was thwarted on the same day it was identified. Though not the largest DDoS attack ever, this one raised eyebrows because it was the largest attack against European organizations. The attackers used UDP as their DDoS vector and ICMP, SYN, RESET floods, TCP anomaly, PUSH flood, etc.
Attackers managed to target more than 1,800 IP addresses of a single organization, and the attack was dispersed at six different locations. Akamai noted that this attack originated from the same threat actor that targeted it previously, while the target is also the same unnamed customer based in Eastern Europe.
Previously, the attacker targeted the company’s primary data; this time, they could target 6 data center locations in North America and Europe.
As shown above, Akamai recorded a humongous 659.6 MPPS DDoS attack back in July. The latest attack was 7% higher than the one in July. The company received 74 DDoS attacks before July, and around 200 attacks afterward. The company stated that this campaign indicates attackers continuously improve their attack techniques to evade detection.
You’ve probably heard the old joke: “Humour in the public service? It’s no laughing matter!”
But the thing with downbeat, blanket judgements of this sort is that it only takes a single counter-example to disprove them.
Something cannot universally be true if it is ever false, even for a single moment.
So, wouldn’t it be nice if the public service could be upbeat once in a while…
…as upbeat, in fact, as the catchy Janet Jackson dance number Rhythm Nation, released in 1989 (yes, it really was that long ago)?
This was the era of shoulder pads, MTV, big-budget dance videos, and the sort of in-your-ears-and-in-your-face lyrical musicality that even YouTube’s contemporary auto-transcription system renders at times simply as:
Well, as Microsoft superblogger Raymond Chen pointed out last week, this very song was apparently implicated in an astonishing system crash vulnerability in the early 2000s.
According to Chen, a major laptop maker of the day (he didn’t say which one) complained that Windows was prone to crashing when certain music was played through the laptop speaker.
The crashes, it seems were not limited to the laptop playing the song, but could also be provoked on nearby laptops that were exposed to the “vulnerability-triggering” music, and even on laptops from other vendors.
Resonance considered harmful
Apparently, the ultimate conclusion was that Rhythm Nation just happened to include beats of the right pitch, repeated at the right rate, that provoked a phenomenon known as resonance in the laptop disk drives of the day.
Loosely speaking, this resonance caused the natural vibrations in the hard disk devices (which really did contain hard disks back then, made of steel or glass and spinning at 5400rpm) to be amplified and exaggerated to the point that they would crash, bringing down Windows XP along with them.
Resonance, as you may know, is the name given to the phenomenon by which singers can shatter wine glasses by producing the right note for long enough to vibrate the glass to pieces.
Once they’ve locked the frequency of the note they’re singing onto the natural frequency at which the glass like to vibrate, their singing continually boosts the amplitude of the vibration until it’s too much for the glass to take.
It’s also what lets you quickly build up height and momentum on a swing.
If you time your kicks or thrusts randomly, sometimes they boost your motion by acting in harmony with the swing, but at other times they work against the swing and slow you down instead, leaving you joggling around unsatifactorily.
But if you time your energy input so it always exactly matches the frequency of the swing, you consistently increase the amout of energy in the system, and thus your swings increase in amplitude, and you gain height rapidly.
A skilled swingineer (on a properly designed, well-mounted, “solid-arm” swing, where the seat isn’t connected to the pivot by flexible ropes or chains – don’t try this at the park!) can send a swing right over the top in a 360-degree arc with just a few pumps…
…and by deliberately timing their pumps out-of-sequence so as to counteract the swing’s motion, can bring it to a complete stop again just as quickly.
One of Google’s customers was targeted with the largest distributed denial of service (DDoS) attack ever recorded, according to a report the company released this week.
Attributed to Google Cloud Armor Senior Product Manager Emil Kiner and Technical Lead Satya Konduru, the report details the June 1 incident, in which a Google customer was hit with a series of HTTPS DDoS attacks, peaking at 46 million requests per second.
To put it in perspective, they compared the attack to “receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds.”
“This is the largest Layer 7 DDoS reported to date — at least 76% larger than the previously reported record,” they wrote.
In June, Cloudflare announced it had stopped the largest HTTPS distributed denial of service (DDoS) attack ever recorded at 26 million requests per second, surpassing a then-record attack of 17.2 million requests, which at the time was almost three times larger than any previous volumetric DDoS attack ever reported in the public domain.
Both Cloudflare and Google have expressed concerns about the evolution of DDoS attacks in recent years as they grow in frequency and exponentially in size.
“Today’s internet-facing workloads are at constant risk of attack with impacts ranging from degraded performance and user experience for legitimate users, to increased operating and hosting costs, to full unavailability of mission critical workloads,” Kiner and Konduru explained.
The engineers said the attack started at 9:45 a.m. PST on June 1 and featured more than 10,000 requests per second. Within eight minutes, it grew to 100,000 requests per second. According to the report, Cloud Armor Adaptive Protection detected the attack and issued a “recommended rule” to block the incoming traffic, which the target’s security team put into place.
Two minutes later, the attack grew to its peak of 46 million requests per second before ending a little over an hour later.
“Presumably the attacker likely determined they were not having the desired impact while incurring significant expenses to execute the attack,” they wrote.
The hackers behind the attack used more than 5,000 source IPs from 132 countries to launch the attack, with the top 4 countries – Brazil, India, Russia and Indonesia – contributing about 31% of the total attack traffic.
Pro-Ukraine hackers are using Docker images to launch distributed denial-of-service (DDoS) attacks against a dozen Russian and Belarusian websites.
Pro-Ukraine hackers, likely linked to Ukraine IT Army, are using Docker images to launch distributed denial-of-service (DDoS) attacks against a dozen websites belonging to government, military, and media. The DDoS attacks also targeted three Lithuanian media websites.
The attacks were monitored by cybersecurity firm CrowdStrike, who discovered that the Docker Engine honeypots deployed between February 27 and March 1 were compromised and used in the DDoS attacks.
The attackers attempt to exploit misconfigured Docker installs through exposed APIs and takeover them to abuse their computational resources.
“Container and cloud-based resources are being abused to deploy disruptive tools. The use of compromised infrastructure has far-reaching consequences for organizations who may unwittingly be participating in hostile activity against Russian government, military and civilian targets.” reported Crowdstrike. “Docker Engine honeypots were compromised to execute two different Docker images targeting Russian, Belarusian and Lithuanian websites in a denial-of-service (DoS) attack.”
The technique to compromise Dockers containers is widely adopted by financially-motivated threat actors, like LemonDuck or TeamTNT to abuse their resources and mine cryptocurrencies.
The experts noticed that the Docker images’ target lists overlap with domains shared by the Ukraine IT Army (UIA). The attacks involved the two images that have been downloaded over 150,000 times, but the threat intelligence firm confirmed that CrowdStrike Intelligence cannot determine the exact number of downloads originating from compromised infrastructure.
The list of targeted websites includes the Kremlin and Tass agency websites.
The two images used by the attackers are named “erikmnkl/stoppropaganda” and “abagayev/stop-russia”.
“Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed UIA that called its members to perform DDoS attacks against Russian targets. CrowdStrike Intelligence assesses these actors almost certainly compromised the honeypots to support pro-Ukrainian DDoS attacks. This assessment is made with high confidence based on the targeted websites.” concludes the report that includes Indicators of Compromise (IoCs) along with Snort detection rule.
Cloudflare has mitigated a distributed denial-of-service (DDoS) attack that peaked at 15.3 million request-per-second (RPS).
Cloudflare announced to have mitigated a distributed denial-of-service (DDoS) attack that peaked at 15.3 million request-per-second (RPS), which is one of the largest HTTPS DDoS attacks blocked by the company.
The company blocked the attack earlier this month, the experts pointed out that HTTPS DDoS attacks are more expensive because require higher computational resources for establishing a secure TLS encrypted connection. On the other side, HTTPS DDoS attacks cost more to the victim to mitigate.
“Earlier this month, Cloudflare’s systems automatically detected and mitigated a 15.3 million request-per-second (rps) DDoS attack — one of the largest HTTPS DDoS attacks on record.” reads the post published by CloudFlare. “We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale.”
The attack was launched by a botnet composed of approximately 6,000 unique bots that was monitored by Cloudflare experts and that was involved in other massive attacks that peaked at 10M rps.
The DDoS attack blocked by the company lasted less than 15 seconds and targeted an unnamed customer operating a crypto launchpad. Crypto launchpads are platforms for launching new coins, crypto projects, and raising liquidity.
Volumetric DDoS attacks are designed to overwhelm a target network/service with significantly high volumes of malicious traffic, which typically originate from a botnet under a threat actor’s control.
The analysis of the malicious traffic revealed that it mostly originated from data centers, it originated from 112 countries around the world. 15% of the malicious traffic originated from Indonesia, followed by Russia, Brazil, India, Colombia, and the United States.
“Within those countries, the attack originated from over 1,300 different networks. The top networks included the German provider Hetzner Online GmbH (Autonomous System Number 24940), Azteca Comunicaciones Colombia (ASN 262186), OVH in France (ASN 16276), as well as other cloud providers.” concludes the post.
In August, the web infrastructure and website security company announced that it has mitigated the largest ever volumetric distributed denial of service (DDoS) attack at the time. The malicious traffic reached a record high of 17.2 million requests-per-second (rps), a volume three times bigger than previously reported HTTP DDoS attacks. Be aware, that the attack that the company blocked in August was an HTTP DDoS and not an HTTPS one.
In November 2021, the company mitigated a distributed denial-of-service (DDoS) attack that peaked just below 2 terabytes per second (Tbps), which is the largest attack Cloudflare has seen to date.
Threat actors compromised WordPress sites to deploy a script that was used to launch DDoS attacks, when they are visited, on Ukrainian websites.
MalwareHunterTeam researchers discovered the malicious script on a compromised WordPress site, when the users were visiting the website the script launched a DDoS attack against ten Ukrainian sites.
There’s about hundred of them actually. All through the WP vulns. Unfortunately, many providers/owners doesn’t react. @GoDaddy ignores abuse letters completely
The only evidence of the ongoing attack is the slowing down of the browser performance.
According to BleepingComputer, which first reported the discovery, DDoS attacks targeted pro-Ukrainian sites and Ukrainian government agencies, including think tanks, recruitment sites for the International Legion of Defense of Ukraine, and financial sites.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks aren’t new cyberattack vectors; They go all the way back to the early 1970s when modern commercial and enterprise networks emerged.
DDoS is a cyberattack in which the adversary seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. It doesn’t peruse any private data or get control over the target’s infrastructure; it just aims to bring the service down.
In today’s world, specifically with COVID, which accelerated organizations’ digital transformation, web presence is a must for just about any business. In this environment, DDoS attacks can be very destructive.
Main ingredients of DDoS attacks
Ingredient # 1 – Botnet
A botnet is a group of infected, compromised machines with malware controlled by malicious software without the knowledge of the machine owner. It ranges from ordinary home or office PCs to IoT devices. Compromised machines called bots or ‘zombies’ are used to launch DDoS attacks, spread SPAM, or perform other malicious activities orchestrated by the attacker.
One of the most infamous Botnets is ‘Mirai,’ which used hundreds of thousands of hijacked IoT devices. The creators of the Mirai botnet, Josiah White, Paras Jha, and Dalton Norman, who were all between 18 and 20 years old when they built Mirai, managed to hijack IoT devices by scanning the Internet for vulnerable IoT devices with factory-set usernames and passwords, log into them, and infect them with the Mirai malware.
The Mirai botnet was used in multiple DDoS attacks between 2014 and 2016 and, when the creators felt the heat coming from the authorities, they published the Mirai source code in a Hackers’ forum in an attempt to cover their tracks. All three were eventually indicted, plead guilty, and are now fighting crime with the FBI. Amazing how life turns out.
Just like we have COVID variants and mutations, Mirai also evolved and its source code mutations have been used in the wild by hackers. Okiru, Satori/Fbot, Masuta, Moobot, and more than 60 other Mirai variants are out there.
Cloudflare, Inc. is an American web infrastructure and website security company that provides content delivery network and DDoS mitigation services. The company announced to have mitigated a distributed denial-of-service (DDoS) attack that peaked just below 2 terabytes per second (Tbps), which is the largest attack Cloudflare has seen to date.
The attack was launched by a Mirai botnet variant composed of 15,000 bots, it combined DNS amplification attacks and UDP floods. The botnet included Internet of Things (IoT) devices and GitLab instances.
“This was a multi-vector attack combining DNS amplification attacks and UDP floods. The entire attack lasted just one minute. The attack was launched from approximately 15,000 bots running a variant of the original Mirai code on IoT devices and unpatched GitLab instances.” reads the post published by Cloudflare.
Experts warn that terabit-strong attacks are becoming common confirming the trend in the overall increase of the intensity of distributed denial-of-service attacks.
Cloudflare Q3 DDoS Trends report also revealed that network-layer DDoS attacks increased by 44% quarter-over-quarter.
In August, the company announced that it has mitigated the largest ever volumetric distributed denial of service attack to date. The malicious traffic reached a record high of 17.2 million requests-per-second (rps), a volume three times bigger than previously reported HTTP DDoS attacks.
In October, Microsoft announced that its Azure cloud service mitigated a 2.4 terabytes per second (Tbps) DDoS attack at the end of August, it represents the largest DDoS attack recorded to date. The attack was aimed at an Azure customer in Europe, but Microsoft did not disclose the name of the victim. This is the largest DDoS attack that hit Azure customers prior to August 2020 when experts observed a 1 Tbps attack.
Researchers have disclosed a nasty new way for bad people to mess up the internet for the rest of us. They’ve found a fantastically powerful reflective-amplification attack technique that could easily be used for distributed denial of service (DDoS).
You’ll be pleased to know the researchers haven’t wasted their time dreaming up a fancy name or a logo. On the other hand, they’re far from hopeful that the problems can be fixed.
Nation-states would have to fix their firewalls, which ain’t gonna happen. In today’s SB Blogwatch, this is why we can’t have nice things.
Weaponizing this attack is relatively simple” Academics said they discovered a way to abuse the TCP protocol, firewalls, and other network middleboxes to launch giant distributed denial of service (DDoS) attacks. … The research is the first of its kind to describe a method to carry out DDoS reflective amplification attacks via the TCP protocol, previously thought to be unusable for such operations. … Reflective amplification … happens when an attacker sends network packets to a third-party server on the internet, the server processes and creates a much larger response packet, which it then sends to a victim instead of the attacker. … The amplification factor for these TCP-based attacks is also far larger than UDP protocols, making TCP protocol abuse one of the most dangerous forms of … DDoS. … The flaw they found was in the design of middleboxes, which are equipment installed inside large organizations that inspect network traffic. … If the attacker tried to access a forbidden website, then the middlebox would respond with a “block page,” which would typically be much larger than the initial packet—hence an amplification effect. … Weaponizing this attack is relatively simple.
Distributed Denial of Service (DDoS) Attacks: Classification, Attacks, Challenges and Countermeasures
CDN and cybersecurity firm Akamai warns of a worrying escalation in ransom DDoS attacks since the beginning of the year.
The company recently mitigated three of the six biggest volumetric DDoS attacks it has ever dealt, two of which were ransom DDoS attacks.
One of these two ransom DDoS attacks targeted a gambling company in Europe and peaked at 800Gbps, but the most worrisome aspect of the attack was its sophistication.
According to the company, the rise of the Bitcoin price is motivating the cybercriminals in intensifying their efforts and their attack bandwidth to carry out powerful attacks with extortion purposes.
“The most recent extortion attack — peaking at more than 800 Gbps and targeting a European gambling company — was the biggest and most complex we’ve seen since the widespread return of extortion attacks that kicked off in mid-August 2020. Since the start of the campaign, show-of-force attacks have grown from 200+ Gbps in August to 500+ Gbps by mid-September, then ballooned to 800+ Gbps by February 2021.” reads the analysis published by Akamai.“But the size of the extortion attack wasn’t the only notable characteristic of the actors’ modus operandi.”
A new way of sending powerful denial of service traffic emerged this week. Malefactors are now misusing servers that talk Datagram Transport Layer Security (D/TLS).
Typified by Cisco’s Netscaler ADC product, before a patch was released in January, some D/TLS servers don’t check for forged requests. That allows scrotes to misuse these high-bandwidth servers to deny internet service to people they want to extort money from.
This possibly includes Sony, whose LittleBigPlanet service has been AWOL for a week. In today’s SB Blogwatch, we ask the question.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: But is it art?
DDoSes are attacks that flood a website or server with more data than it can handle. The result is a denial of service to people trying to connect to the service. As DDoS-mitigation services develop protections … the criminals respond with new ways to make the most of their limited bandwidth. … In so-called amplification attacks, DDoSers send requests of relatively small data sizes to certain types of intermediary servers. … DDoS-for-hire services [are] adopting a new amplification vector … D/TLS, which (as its name suggests) is essentially the Transport Layer Security for UDP data packets. … The biggest D/TLS-based attacks Netscout has observed delivered about 45 Gbps of traffic. The people responsible for the attack combined it with other amplification vectors to achieve a combined size of about 207 Gbps. … Abusable D/TLS servers are the result of misconfigurations or outdated software that causes an anti-spoofing mechanism to be disabled. While the mechanism is built in to the D/TLS specification, hardware including the Citrix Netscaler Application Delivery Controller didn’t always turn it on by default.
