Tag Archives: Denial-of-service attack

Korean Banks

The Washington Post report that it seems the attack on South Korea’s Nonghyup agricultural bank back in April was the work of North Korea. The evidence?

South Korean investigators said they determined that 10 servers used in the bank incident were the same ones used in previous cyberattack operations against South Korea, including one in 2009 and another in March, that they blamed on the North. Investigators say they determined, for instance, that a “command and control” server used in the 2009 operation was registered to a North Korean government agency operating in China.

This is interesting. Command and control servers are compromised computers that are used by bad guys to “run” other computers—zombies—that actually do the grunt work. There’s definitely a common thread between the 2009 and 2011 DDOS attacks, and plenty of circumstan

Southeast Asia’s Viral Infection

Southeast Asia is fast developing a reputation as the most dangerous place on the Internet. It’s not a reputation the region can afford to have.

By one count Thailand has risen to be the country with the most number of malware infections, by one account, and by another to be the second, all in the past few months.

PandaLabs’ report on the second quarter of 2011 [PDF] lists Thailand as having the second highest rate of malware infection (after China) with nearly 57% of computers scanned by their antivirus software as being infected. The global average is about 40%. Thailand was second in the previous quarter too, but with an even higher infection rate, of 65%. Most of these infections seem to come from worms.

Indeed, this trend seems to have started last year. The AntiPhishing Working Group’s report for the second half of 2010 lists as top in terms of infected countries–nearly 67%, higher than China’s 63%. (I should point out that the chief analyst for the APWG is Luis Corrons, who is technical director of PandaLabs, so the source of this data may actually be one place.)

Indonesia, meanwhile, now equals the United States as the highest single source of Distributed Denial of Service attacks, according to data from Kaspersky (Expect More DDoS Attacks Tomorrow, published on Monday):

The US and Indonesia topped the rating with each country accounting for 5% of all DDoS traffic. The US’s leading position is down to the large number of computers in the country – a highly attractive feature for botmasters. Meanwhile, the large number of infected computers in Indonesia means it also ranks highly in the DDoS traffic rating. According to data from Kaspersky Security Network, Kaspersky Lab’s globally-distributed threat monitoring network, in Q2 2011 almost every second machine (48%) in Indonesia was subjected to a local malware infection attempt.

A couple of points here:

  • Indonesia has a lot fewer computers connected to the Internet compared to the U.S.: about 40 million vs 245 million. This means that Indonesia is generating 5 times as much DDOS traffic per computer as the U.S.
  • The discrepancies in the infection rates between Kaspersky and Panda are artifacts of the way these companies measure these things. Basically, as far as I understand, they gather data from users, so a lot depends on just how popular that particular piece of antivirus software is in the country, and on factors such as the likelihood of people actually using antivirus software.

The Kaspersky report shows that Southeast Asia features heavily in the proportion of DDOS traffic:

  • Indonesia 5%
  • Philippines 4%
  • Vietnam 4%
  • Thailand 4%
  • Singapore 4%
  • Malaysia 3%

Internet traffic optimizer Akamai, meanwhile, reported that [PDF, may have to answer a short survey before reading] Burma (Myanmar) accounted for 13% of the world’s attack traffic (i.e. DDOS traffic). This was the first time that Burma appeared on the list. I’ve spoken to Akamai and they’re not clear why this is the case, but they did point to the fact that their data covers the first quarter of 2011, a few months after a massive DDOS attack on Burma which happened to coincide with the country’s elections.

The suspicion at the time that this was self-inflicted: basically pro-government hackers preventing Burmese from using the Internet to get alternative sources of election information. Makes sense. Akamai’s theory is that this traffic that they saw in the first quarter of this year was residual traffic from those massive attacks. But the truth is that no one knows.

More generally, it’s not good that Southeast Asia is now becoming this malware and DDOS capital. There are lots of reasons for it, which I’ll be exploring as part of a project in the months to come.

Full version of the Kaspersky report: DDoS attacks in Q2 2011 – Securelist

The Battery DDOS: Tip of An Iceberg

An interesting story brewing about the FBI investigating a DDOS (Distributed Denial of Service) attack on websites selling batteries. But the reporting does not go far enough: In fact, a little research reveals this is part of a much bigger assault on a range of industries.

As a starting point, look at Elinor Mills of the excellent Insecurity Complex at CNET:

U.S. battery firms reportedly targeted in online attack | InSecurity Complex – CNET News: “The FBI is investigating denial-of-service attacks targeting several U.S. battery retail Web sites last year that were traced to computers at Russian domains in what looks like a corporate-sabotage campaign, according to documents published yesterday by The Smoking Gun.”

But a closer look at the source documents suggests this is just the tip of a much bigger iceberg. The Smoking Gun incorrectly reports the email address used by the alleged hacker, a St Petersburg man called Korjov Sergey Mihalivich, as lvf56fre@yahoo.com. In fact, the FBI lists it as lvf56kre@yahoo.com, which yields much more interesting results. Such as this one, from ShadowServer.

ShadowServer shows that the domains under that person’s control, globdomain.ru (not globdomian.ru as reported by the Smoking Gun) and greenter.ru, have been prolific since 2010 in launching DDOS attacks against 14 countries and more than 30 industries and government websites. An update from ShadowServer in January 2011 counted 170 “different victims. Again, these attacks are across many different industries and target some rather high profile sites.” (It doesn’t identify them.)

The DDOS attacks use the BlackEnergy botnet, described by Arbor Networks’ Jose Nazario in a 2007 paper [PDF]. Back then Nazario reported the botnet’s C&C systems were hosted in Malaysia and Russia.

The same email address used for those two domains has registered other domains: trashdomain.ru, which has been recorded as the host for a Trojan dropper called Microjoin.

In other words, this is a lot more than about batteries. This appears to be a DDOS for rent to businesses wanting to take out business rivals in a host of fields. Indeed, the FBI investigation makes this clear, and cites the $600,000 damage caused as included attacks on “a wide range of businesses located in the United States.” (This does not include the dozen other countries affected, hence, presumably, the quite low sum involved.)

The batteries attack took place in October 2010, but the FBI document makes clear that as of May 2011 the attacks were still going on.

At present it’s not clear who is behind these attacks–in other words, who is paying for them. This could be a ransom attack–pay up or we will keep DDOSing–but this doesn’t seem to be the case, as Batteries4less.com Chief Executive Coryon Redd doesn’t mention any such approach in an interview with Mills. He seems to believe that “[t]he competitor is going to be U.S.-based and contracting out with a bad guy in Russia.”

Could be right. In which case the investigation has stumbled on a dark world of business tactics stretching from banking to astrology consultants. More research needed, please.

The New Attack: Penetrate and Tailor

In its latest security report Cisco identifies a trend I hadn’t heard of before with malware writers: Closer inspection of those computers they’ve successfully penetrated to see whether there’s something interesting there, and then if there is targeting that company (or organisation) with a more tailored follow-up attack:

Attackers can—and do— segregate infected computers into interest areas and modify their methods accordingly. For example, after initial infection by a common downloader Trojan, subsequent information may be collected from infected machinesto identify those systems more likely to lead to sensitive information. Subsequently, those “interesting” machines may be delivered an entirely different set of malware than would other “non-interesting” computers.

This is, as Cisco says, a pretty good example of that much maligned term, the Advanced Persistent Threat. Unfortunately they don’t give more concrete examples. But it seems as if the most targeted sector is the pharmaceuticals and chemical industry: 500% more than the median infection rate, or twice the next industry, oil and gas.

On DoS (Denial of Service) attacks, Cisco says that “while once largely prank-related, DoS attacks are increasingly politically and financially motivated.” It doesn’t add more, unfortunately, and much of the rest of the report is sales-pitch. I’ll try to get more out of them, because there might be some interesting trends lurking behind the rather thin data.

Did Prolexic Fend Off Anonymous’s Sony Attacks?

Prolexic, a company that defends clients against Distributed Denial of Service (DDoS) attacks, says it has successfully combatted the “Largest Packet-Per-Second DDoS Attack Ever Documented in Asia”:

“Prolexic Technologies, the global leader in Distributed Denial of Service (DDoS) mitigation services, today announced it successfully mitigated another major DDoS attack of unprecedented size in terms of packet-per-second volume. Prolexic cautions that global organizations should consider the attack an early warning of the escalating magnitude of similar DDoS threats that are likely to become more prevalent in the next 6 to 8 months.”

Although it describes the customer only as “an Asian company in a high-risk e-commerce industry” it could well be connected to the recent attacks on Sony by Anonymous. A piece by Sebastian Moss – The Worst Is Yet To Come: Anonymous Talks To PlayStation LifeStyle — in April quoted an alleged member of Anonymous called Takai as reacting to unconfirmed reports that Sony had hired Prolexic to defend itself (Sony Enlists DDoS Defense Firm to Combat Hackers):

“It was expected. We knew sooner or later Sony would enlist outside help”. Pressed on whether Anonymous would take out Prolexic, Takai showed confidence in the ‘hacktavist’s’ upcoming retaliation, stating “well, if I had to put money on it … I’d say, Prolexic is going down like a two dollar wh*** in a Nevada chicken ranch  ”. He did admit that the company “is quite formidable” and congratulated “them for doing so well”, but again he warned “We do however have ways for dealing with the ‘Prolexic’ factor”.

The website also quoted Anonymous members expressing frustration at the new defences, but that they appeared to be confident they would eventually prevail. That doesn’t seem to have happened.

Prolexic’s press release says the attacks had been going on for months before the client approached the company. The size of the attack, the company said, was staggering:

According to Paul Sop, chief technology officer at Prolexic, the volume reached levels of approximately 25 million packets per second, a rate that can overwhelm the routers and DDoS mitigation appliances of an ISP or major carrier. In contrast, most high-end border routers can forward 70,000 packets per second in typical deployments. In addition, Prolexic’s security experts found 176,000 remotely controlled PCs, or bots, in the attacker’s botnet (robot network). This represents a significant threat as typically only 5,000-10,000 bots have been employed in the five previous attacks mitigated by Prolexic.

It does not say why it considers the attack over, now gives any timeline for the attack. But if it is Sony, it presumably means that Anonymous has withdrawn for now or is preoccupied with other things. Prolexic, however, is probably right when it warns this is a harbinger of things to come:

“Prolexic sees this massive attack in Asia with millions of packets per second as an early warning beacon of the increasing magnitude of DDoS attacks that may be on the horizon for Europe and North America in the next 6 to 8 months,” Sop said. “High risk clients, such as those extremely large companies in the gaming and gambling industries in Asia, are usually the first targets of these huge botnets just to see how successful they can be.”

The Blue Frog Burps His Last?

Bobbie Johnson, technology correspondent at The Guardian is reporting that Blue Security is killing off the Blue Frog, saying it “could no longer continue to operate in the face of an escalating threat to the internet from a malicious Russian spammer known only as PharmaMaster.” The Blug Frog had been under serious attack from PharmaMaster, knocking it and much of Canada off the air via Denial of Service attacks on its servers.

Eran Reshef, the founder of Blue, said his company, which recently drew $4.8m (£2.5m) in funding and counts several senior industry figures as directors, was simply unable to become trapped in a war against a criminal group. “This is something that’s really got to be left to governments to decide. To fight the spammers you really need to spend $100m.”

Reshef is quoted as saying “it’s a dirty little secret that there is no real way to totally prevent denial-of-service attacks – if the attacker is prepared to put enough money in, then they can beat you every time.”

A surprising conclusion, if true (Bobbie has checked around and says it is so.) Certainly I think Reshef is right that it’s up to governments to deal with this kind of thing; Blue Frog was good in principle, but its supporters began to sound more like vigilantes than a serious and kosher effort to combat spam.

The Red-faced Blue Frog

What’s intriguing about this Blue Security/Blue Frog episode, where angry spammers attack the anti-spam company with a Distributed Denial of Service (DDoS) attack, which in turn directs traffic (unwittingly or wittingly, it’s not clear yet) and temporarily brings down blog hoster TypePad, is this: The guy behind Blue Security, Eran Reshef, is founder of Skybox, a company “focused on enabling the continuous enterprise-wide assessment of vulnerabilities and threats affecting corporate networks.”

This is at best somewhat embarrassing for Reshef, and for Blue Security, at worst it exposes him and the company to ridicule and lawsuits. Getting involved in battling spammers is not a task taken on lightly, and the one thing that Blue Security had going for it was that it seemed to know what it was doing. Users download software and register their email addresses in a central database. Spammers are encouraged to remove those email addresses; if they don’t, the software will respond to subsequent spam by visiting the website advertised and automatically filling the order form. If enough people have the software running this, in theory, creates an overwhelming amount of traffic for the spammer and brings their business to a halt. Blue Security now says it has tens of thousands of members.

But then came last week’s attack. Reshef initially said that that no such DDoS took place on the www.bluesecurity.com server, something contested by some analysts. He has since said that a DDoS did take place, but against operational, back-end servers  and not connected to his company’s front door. This, he said, he only spotted later. He says that when he redirected traffic to his blog at TypePad there was no DDoS on the bluesecurity.com website; that, he says, came later. This appears to be borne out by web logs provided to TechWeb journalist Gregg Keizer.

Blue Security’s handling of this raises more questions than it answers. Many are highly technical and not ones I understand. But there are some basic ones. Was the company not prepared for spammers to retaliate? Did it not have any procedures in place? Why did it redirect traffic to TypePad without informing them first? Why did it not coordinate closely with its ISP? And why, given Reshef’s expertise on DDoS attacks with Skybox, was he not able to spot the DDoS attack on his backend servers?

Lycos And One Way Not To Deal With Spam

Lycos Europe, according to The Register, is distributing “a special screensaver in a controversial bid to battle spam”. Make Love Not Spam “sends a request to view a spam source site. When a large number of screensavers send their requests at the same time the spam web page becomes overloaded and slow”.

The idea, of course, is to slow down servers allegedly delivering spam by overloading it with requests in what is called a distributed denial of service (DDoS) attack. Lycos’ argument: The spam sites will get charged for the higher traffic, and eventually go out of business. As Aunty Spam, a website dedicated to spam issues, points out, Lycos may be skating on thin ice: denial of service attacks are illegal, at least in the U.S. “The problem is, just because you are part of DDOSing spammers rather than legitimate companies doesn’t make it any less illegal.”

I’d tend to agree. Tempting as it is to do this kind of thing, it’s not the way to go, and I’m surprised that Lycos is doing it. My bet is that Lycos Europe finds itself on the end of its own DDoS attack from vengeful spammers.

Why Is The Bush Campaign Website Blocked?

I know it’s not particularly new, but why is George W Bush’s website inaccessible outside the U.S.?

Netcraft reported last week that the site could not be reached except by users in North America. Even entering the numbered IP address appears to have been blocked. (GeorgeWBush.co.uk works fine, as does GeorgeWBush.org, but then they’re not exactly under Bush’s control.)

Netcraft’s Prettejohn is quoted by the BBC as speculating it could be an effort to ensure the website stays online during the last few days of the election campaign. But what about all the overseas voters? A Bush campaign spokesman is quoted as saying that it was done for security reasons.

To me what is lacking in coverage of this issue is the notion that the blocking may actually have an impact on the election. In 2000 Bush’s victory was certified only after overseas ballots were counted. Of course, many overseas Americans have already voted, but both parties are urging last-minute voters to fill in absentee ballots and fax them home.

AP reports that “The complicated issue of counting absentee ballots also added to the confusing array of new machines and new state voting regulations prompted by the debacle of the last race for the White House.” States, AP says, have “differing and confusing rules about deadlines for such ballots. Some states, for example, allow absentee votes to be counted days after the election, provided they are postmarked by Nov. 2. Others mandate that mailed ballots received after Election Day do not count.” On top of that, election officials in more than a dozen states missed the recommended deadline for mailing absentee ballots overseas, meaning soldiers in Iraq and Afghanistan might not get them in time to vote.

In light of this looming absentee ballot issue, why would Bush’s campaign risk losing votes by closing down the site? One argument is they’re short of money, but I can’t believe that. Another is fear of too much traffic — but then add more servers. Fear of being brought down by a Denial Of Service (DDoS) attack? Makes sense — and it may have been sparked by any earlier outage blamed by some on such an attack. But with both candidates chasing every vote they can it just does not make sense to me.

If it was just blocking the DNS name (georgewbush.com) that would make sense. But why block the IP number too (not originally blocked; it seems to have happened later)? How many users are going to access the website that way? It seems to be a deliberate attempt to block every single overseas user. Which to me means they fear a DDoS attack. Another weird episode.