Education, freedom and knowledge. These are the pillars for higher learning, but have often been used to describe some open source projects and services that have the potential to be abused by those that are not so innocent. Over the last two years, tools like stressers, Remote Administration Tools (RAT) and ransomware have been published under these pretenses, but do they serve a legitimate purpose? These projects have set off an international debate in the information security community and many wonder if they should be available to the public. Often the justification for these projects is that they are intending to show the potential risks so they can be used to prevent infections or reduce potential damage. With stressers, they claim that the services are to be used to improve and test security products and to understand attack behavior targeting their network. But are they?
DDoS attacks can be costly and risky. TierPoint is witnessing a growing trend of using such attacks as the means to another, potentially more devastating, end: stealing sensitive data. Call this new breed of attack the “DDDoS”—deceptive distributed denial-of-service. For two recent examples, look to attacks on Carphone Warehouse and Linode. By bombarding Carphone Warehouse with online traffic, hackers were able to steal the personal and banking details of 2.4 million people. Similarly, cloud provider Linode suffered more than 30 DDoS attacks which appeared to be a ruse to divert attention away from a breach of user accounts.
Ransomware traditionally has used self-replicating and distributing features written into the malware itself to search out, break into, and infect unsecure devices. The benefits of this are clear…fast and wide malware distribution touching thousands of devices.
Enter stage left, Popcorn Time…the first ransomware, which uses the human victim themselves to find and target additional victims to continue distribution of the malware. The idea is straightforward. When your computer becomes infected, you have four options: 1) Pay the ransom and gain back control of your data, 2) Identify personal contacts you will try to infect in order to have your data released, essentially blackmailing the victim, 3) Call law enforcement for help and hope they have the resources to help, or 4) Do nothing. Looking at these, there are really only two options that will help the victim: Pay out, or provide targets.
Unless you have been living under the proverbial rock, you probably heard about a number of Internet of Things (IoT) attacks this fall, beginning with KrebsOnSecurity, then OVH, then the DDoS attack on Dyn DNS. All of this started with a bot called Mirai, and involved IoT devices. Why is this important? By 2020, it is estimated that the number of connected devices is expected to grow exponentially to 50 billion. A survey by HP indicates that about 70% of these devices have vulnerabilities, making them the perfect targets for botnets like Mirai.
In 2015, we made a number of predictions for the upcoming year. One of the bigger predictions was that we would see the continued rise of ransomware and RDoS (ransom-denial-of-service) attacks. When we look back at the year, we were right – 56% of companies we surveyed reported being threatened in this manner.
Because these attacks have become so prevalent, it’s important to understand the motives behind them, and how to protect your organization. Below is a round-up of some of our most popular blog posts to bring you up to speed on this threat:
How much someone is willing to pay in a ransom attack varies greatly by age, with younger consumers likely to pay more.
That’s one of the findings in a new study among over 2,000 U.S. adults conducted online on behalf of Radware by Harris Poll. It’s not a great sign after a year when ransom attacks locked up patient records at hospitals and disabled MUNI ticket machines in San Francisco. The attacks included ransomware, ransom DDoS, and other threats designed to extort money from unprepared organizations. Many variants arose, including Locky and Petya that propagate through spam emails and phishing, respectively; Samas, which exploits webserver vulnerabilities; and Cerber, which imitates an Adobe Flash player update.
Who is to blame when hackers take control of thousands of internet-connected devices to carry out a DDoS attack?
That’s what security researchers have been asking since the Dyn attack hamstrung dozens of major websites in October. Using the Mirai malware, hackers harnessed 100,000 internet-connected devices in a DDoS attack that reportedly reached 1.2 Tbps. Those devices, from cameras to DVRs, are often consumer-owned, and we wanted to see what consumers thought of their devices being co-opted for these attacks.
We asked them where they’d point fingers if their devices are compromised and used as part of an IoT botnet.
2016: What a year! Internet of Things (IoT) threats became a reality and somewhat paradoxically spawned the first 1TBs DDoS—the largest DDoS attack in history. Radware predicted these and other 2016 events in the 2015–2016 Global Application and Network Security Report. Since initiating this annual report, we have built a solid track record of successfully forecasting how the threat landscape will evolve. While some variables stay the course, the industry moves incredibly quickly, and it takes just one small catalyst to spark a new direction that nobody could have predicted.
Let’s take a look back at how our predictions fared in 2016—and then explore what Radware sees on the horizon for 2017.
A DNS reflective attack is used in many distributed denial-of-service (DDoS) attacks to knock down an internet pipe. The attack is a two-step attack; the attacker sends a large amount of requests to one or more legitimate DNS servers while using spoofed source IP of the target victim. The DNS server receiving the semi-legitimate requests replies to the spoofed IP, thereby unknowingly launching an attack on the target victim with responses to requests that the victim never sent.
The internet is full of DNS servers offered as open-resolvers which will serve any request sent to them, some reports name millions as the amount. This huge number makes it very hard to pre-identify the attack using IP reputation. Furthermore, the servers are actually legitimate servers that usually send legitimate traffic, making any IP reputation service confused about whether or not their nature is malicious.
2016 has been an eventful year when it comes to denial of service attacks. This year the industry as a whole has seen the largest attacks ever, and new attack vectors designed to test and challenge modern day defenses. Every year Radware’s ERT sees millions of attacks and our ERT Researchers throughout the year are constantly reviewing and analyzing these attacks to gain further insight into trends and changes in the attack vector landscape.
This year, two of the most common trends among attackers were burst attacks, aka “hit and run”, and advanced persistent denial of service (ApDoS) campaigns. Throughout the year we have observed a number of attackers using short bursts of high volume attacks in random intervals, and attacks that have lasted weeks, involving multiple vectors aimed at all network layers simultaneously. These types of attacks have a tendency to cause frequent disruptions in a network server’s SLA and can prevent legitimate users from accessing your services.