Scant Brain Power Behind Massive DDoS Attack
It may be the most disturbing thing about last week's historic denial of service attack on a Dutch anti-spam organization -- the fact that the technology involved wasn't that complicated. That's one of the findings of security professionals studying the attack methods used on Spamhaus, along with the knowledge that the hackers used the Internet's own structure to extend their assaults on the group.
Apr 1, 2013 6:00 AM PT
One of the largest denial of service attacks in the history of the Internet didn't take rocket science to execute.
The offensive was conducted over several days last week after the anti-spam group Spamhaus placed a Dutch hosting service, located in a former NATO bunker, on a blacklist reserved for spammers.
A group calling itself STOPhaus is claiming responsibility for the series of attacks which, at their height, reached bandwidths of 300 Gbps. A 10 Gbps attack will bring most websites down.
To reach those bandwidth levels, the attackers exploited the Internet's architecture and the Domain Naming System to expand the scope of their assaults. They essentially used open servers used to resolve DNS addresses on the Internet like megaphones to amplify their attacks.
The technique was used earlier this year in a series of attacks on U.S. financial websites.
Perl Used By Swine?
Despite the magnitude of the onslaughts, security experts said they can be launched with a relatively low level of technical knowledge.
"The technique isn't particularly difficult," said Matthew Prince, co-founder and CEO of Cloudflare. Prince's company came to Spamhaus's aid when the attacks threatened to overwhelm its website.
"The amount of code you'd need to write to launch this attack can almost be done in a line of Perl," Prince told TechNewsWorld.
The most difficult part of the campaign is finding open resolvers to use in your attack because it requires scanning billions of IP addresses.
"It takes a lot of reconnaissance, but not a whole lot of technology itself," Henry Stern, a threat researcher with Cisco told TechNewsWorld.
That reconnaisance may have gotten easier. A group calling itself the Open DNS Resolver Project has published a list of 27 million open or semi-open resolvers on the Net. The group's intentions are good ones; it wants server operators to check their IP addresses at the site and restrict access to any of their servers they find on the list.
Gangs and the Web
Gangs and how they use the Internet have been the subject of some recent articles by Scott H. Decker at the School of Criminology and Criminal Justice at Arizona State University, and David Pyrooz at the College of Criminal Justice at Sam Houston State University.
Law enforcement officials have been concerned that gangs would use the Internet to extend their criminal enterprises.
What the researchers found was that when gang members aren't doing what typical young adults do on the Internet, they're doing what they do on the mean streets of their turfs -- a lot of bragging and fighting.
"A fight that took place, a shooting, a stabbing on the street is often precipitated by some online interaction or threat," Decker told TechNewsWorld.
"The Internet opens up so many opportunities that we really can't anticipate," he sad. "As they unfold, they can work to the advantage of offenders, but they can also work to the advantage of law enforcement. The Internet leaves a record. That can be a powerful tool for investigators."
Korea, Adware, Java
On the international front, cyberattacks on South Korea continued last week. Websites operated by North Korean defectors were reportedly attacked last Tuesday.
Meanwhile, Android continues to be a popular target of apps bearing adware that siphons more information from a phone than is necessary to run the app. Research from Bitdefender revealed that Android app adware grew worldwide by 61 percent during a five month period ending in January.
Java also continued to grab headlines last week. In a report from Websense based on an analysis of millions of endpoints, the company found that three quarters of the Java clients currently being used by organizations are at least six months out of date.
- March 26. Oregon Health & Science University in Portland starts notifying some 4,000 patients after an unencrypted laptop containing their personal health information was stolen. The laptop was stolen from a surgeon's Hawaii vacation rental in late February. This is the institution's third reported data breach involving more than 500 individuals since 2009. All incidents involve stolen and unencrypted devices.
- March 26. Tech Texas University Health Sciences Center posts to its website notice that an error on February 18 while processing billing statements for approximately 700 patients resulted in some patient billing statements being sent to the wrong mailing addresses. Information exposed included patients' names, account numbers, invoice numbers, dates of service, charge amounts, department and provider names, adjustment amounts, payments from insurance companies, amounts due, and total account balances.
- March 26. Granger Medical Clinic in West Valley City, Utah reports to federal health authorities that 2,600 medical appointment records may have been compromised when they were discovered missing in January. Record include names of patients, appointment dates and reason for visit.
- March 28. Utah Health Department ombudsman states an additional US$1 million in funds approved by state lawmakers to cover an additional year of identity theft protection for victims of data breach in May that compromised personal information of some 780,000 people, including 280,000 Social Security numbers. To date, the department estimates that 25 percent of the people with compromised SSNs have applied for identity theft protection.
Upcoming Security Events
- April 4. Emerging Science and Technologies -- Securing the Nation through Discovery and Innovation. 7:30 a.m-9:30 a.m. ET. Rotunda, Ronald Reagan Building, 1300 Pennsylvania Ave NW, Washington, D.C. Sponsored by INSA and NextGov. Registration: Free.
- April 9. Mobile Devices and Identity and Access Control Applications. Sands Expo & Convention Center, Las Vegas, Nev. Sponsored by Smart Card Alliance. Registration: $470-$590.
- April 12. Art of Deception: Are YOU in Danger of Being Conned? Lecture by Kevin Mitnick. 3 p.m. Tom Steed Community Learning Center, 6191 Tinker Diagonal, Midwest City, Okla.
- April 23-24. Black Hat Embedded Security Summit. McEnery Convention Center in San Jose, Calif. Registration: Before Feb. 9, $999; Feb. 9-Apr. 18, $1,099; Apr. 19-25, $1,199.
- April 23-25. Infosecurity Europe. Earls Court, London, UK. Registration: By Apr. 19, free; After Apr. 19, Pounds 20.
- May 15-16. NFC Solutions Summit. Hyatt Regency San Francisco Airport. Registration $760-$1,020.
- June 11. Cyber Security Brainstorm. 8 a.m.-2:30 p.m. ET. Newseum, Washington, D.C. Registration for Non-government attendees: Before March 3, $395; Mar. 3-Jun. 10, $495; Onsite, $595.
- June 14-22. SANSfire 2013. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Course tracks range from $1,800-$4,845.
- July 24. Cyber Security Brainstorm. 8 a.m.-2:30 p.m. Newseum, Washington, D.C. Registration: government, free; non-government $395, before April 10; $495, April 10-July 23; $595 July 24.