Posts Tagged ‘Cyber attack’

A massive cyber attack targeting a European spam-fighting group that slowed some global Internet traffic to a crawl appears to have been launched by a gang of hackers from Russia and neighboring countries, says the head of a Russian firm specializing in defending against such attacks.

MOSCOW–A massive cyber attack targeting a European spam-fighting group that slowed some global Internet traffic to a crawl appears to have been launched by a gang of hackers from Russia and neighboring countries, says the head of a Russian firm specializing in defending against such attacks.

Alexander Lyamin, of Moscow’s Highload Labs, says he believes the same group who have caused trouble around the world with their attack against the non-profit Spamhaus Project Ltd. had earlier launched a series of brief strikes on several top Russian Internet companies as a trial run of their weapon known as a Domain Name System amplification attack.

“We first noticed incidents utilizing this technique a month-and-a-half ago in Russia. It started with a measly 10-20 gigabytes per second, but during the next month it grew to 60 and then 120 gigabytes. Apparently the attackers were growing their network of hacked servers,” Mr. Lyamin said.

The attacks against Spamhaus began on March 19 and appeared to have subsided on Wednesday. Some experts said the attack grew to as large as 300 gigabytes per second, which would make it the largest ever seen, although others–including Mr. Lyamin — dispute that.

A DNS amplification attack works by manipulating the basic system by which the Internet operates wherein a series of domain name system servers convert searches for particular sites, like www.wsj.com, to their INS address which is actually a numerical code and makes the connection. The attack utilizes a network of hacked DNS servers to answer fake messages that appear to come from a targeted site with much larger responses. While this cripples the target site, it also severely slows the DNS server which results in bogging down scores of other searches. In the Spamhaus attack, experts have said they believe millions of web surfers were affected.

Spamhaus has accused Dutch Web-hosting company Cyberbunker for being behind the attack in a tit-for-tat retaliation for Spamhaus putting Cyberbunker on a blacklist for allegedly allowing vast amounts of spam to be sent through its servers.

Spokespeople for Cyberbunker and Spamhaus did not immediately respond to messages seeking comment. In a statement on its Website, Spamhaus said “a number of people have claimed to be involved in these attacks. At this moment it is not possible for us to say whether they are really involved.”

While Mr. Lyamin would not name the Russian companies that were the earlier targets because of “the very sensitive nature of this matter,” but said they included services used by Russians every single day.

“The targets were companies with good visibility and big names, but the attacks were only for a short duration of time. We think it was done for bragging rights. Also lots of Internet trash was targeted–porn, scam, drugs, piracy, etc. It was like a child playing Robin Hood or something,” he added.

He said the targeting of Russian companies, and the fact that the attacks tended to begin during daylight hours in Russia’s timezone, led his team to believe the attacks were launched by “a group of Russians or from our closest neighbors.”

Mr. Lyamin says he suspects whoever was behind the spam that Spamhaus had targeted had hired the hackers to launch the attack, which he said is a copycat of one undertaken in October 2010, about 20% smaller by volume of traffic.

“This is not new,” he said. “And I really doubt this is the biggest.”

Source:http://stream.wsj.com

This slideshow requires JavaScript.

The ‘biggest cyber attack in history’, which has been slowing down internet services for millions across the world, may have affected thousands of mobile banking customers.

Business and personal mobile banking customers for Natwest, RBS, and Ulster Bank are today experiencing problems accessing online accounts – although it has not yet been confirmed whether this is linked to the attack.

It comes after a bitter feud between two online companies – a group which aims to block unwanted emails known as ‘spam’ and a firm accused of sending them – erupted.

Spam-fighting organization Spamhaus says it’s being subjected to a massive cyber-attack, apparently from groups angry at being blacklisted by the Geneva-based group.

Millions of web users have already experienced disruption to popular services such as film and TV site Netflix, along with longer than usual delays in loading websites.

And yesterday experts warned the assault could soon impact on banking and personal email accounts.

The problems began when spam-fighting company Spamhaus – a not-for-profit group that aims to help block unwanted junk emails – black-listed Dutch company Cyberbunker earlier this month.

Cyberbunker is what is known as a hosting company, meaning it allows organisations to make their websites accessible on the internet by providing space on a server.

The company’s website says it will host anything ‘except child porn and anything related to terrorism’.

Spamhaus, which has offices in London and Geneva, keeps a database of web servers which are known to be used for malicious purposes, such as sending spam mail for bogus products – such as fake weight-loss pills or Viagra – and earlier this month added Cyberbunker.

Spamhaus claims Cyberbunker has launched a huge ‘denial of service’ (DDoS) attack in retaliation by flooding its servers with internet traffic.

This is like jamming a mailbox with hundreds of letters at the same time.

Professor Alan Woodward, a cyber security expert at the University of Surrey, explained: ‘If you imagine it as a motorway, attacks try to put enough traffic on there to clog up the on and off ramps.

‘With this attack, there’s so much traffic it’s clogging up the motorway itself.’

Matthew Prince, chief executive of internet security firm CloudFare, likened the move to a ‘nuclear bomb’, adding: ‘It’s so easy to cause so much damage.’

David Emm, a senior security researcher with anti-virus firm Kaspersky Labs, said the attack was slowing down the whole internet, adding: ‘It’s like if someone wanted to flood my letterbox with junk mail it would all have to go through the delivery office and that would have an effect on the delivery of other people’s letters.

‘If the mail is coming from all over the place it will have some impact on the wider delivery.’

Steve Linford, chief executive of Spamhaus, told the BBC the scale of the attack was unprecedented and powerful enough to bring down the Government’s computer system.

A spokesman for the Royal Bank of Scotland group said they were investigating the issue.

They added: ‘We are aware of a technical problem this morning which is preventing customers from logging in to our mobile banking applications.

‘We are working to fix the problem and apologise to customers for the inconvenience caused.

‘No other systems are affected.’

 Global impact: Experts say traffic to the Netflix site has been affected by the attack on anti-spam firm SpamHaus

Mr Linford said he could not disclose more details as there were fears those involved may also come under attack.

He added that several companies, such as Google, had made their resources available to help absorb the excess traffic.

Sven Olaf Kamphuis, who claims to be a spokesman for Cyberbunker, said in an online message that Spamhaus was abusing its position and should not be allowed to decide ‘what goes and does not go on the internet’.

He added: ‘We are aware that this is one of the largest DDoS attacks the world had publicly seen.’

Experts say such attacks are growing in power and are now six times larger than recent ones against American banks.

Companies that monitor Internet traffic said Wednesday that an intensive cyberattack against a European spam-fighting organization has ended.

The attack against the Spamhaus Project Ltd., a nonprofit group that tracks spammers, was massive enough to slow some of the traffic on the Web to a crawl.

Analysts work in the Security Operations Center at the Dell SecureWorks office in South Carolina

Analysts work in the Security Operations Center at the Dell SecureWorks office in South Carolina

Spamhaus accused Cyberbunker, a Dutch Web-hosting company, of coordinating the so-called distributed denial-of-service attack against it, according to a report by the British Broadcasting Corp. In a DDoS attack, multiple servers send simultaneous requests to the target’s Web servers, ultimately causing them to crash.

According to the BBC, Spamhaus said the attack was in retaliation for its blacklisting of the Dutch company.

Neither Cyberbunker nor Spamhaus could be reached for comment. A person familiar with the situation said Spamhaus thinks it is still under attack.

The cyberattack was one of an increasing number of such offensives against corporations, including large financial institutions, and raises questions about what companies can do to guard against them.

The DDoS attack directed at servers run by Spamhaus came at a rate of 300 gigabits a second, which is five or six times the intensity of typical cyberattacks against banks, said Dan Holden, director of security research at Arbor Networks Inc.

“Up until this, the largest attack we had seen was a 100-gigabit attack in 2010 and an 80-gigabit attack in 2012. Jumping up to 300 is tripling the largest attack we’ve seen,” he said.

According to Mr. Holden, the attack against Spamhaus caused “collateral damage” across the Web because of the “pure size” of the attack. The extent of any collateral damage is also dependent on the path taken between the attacking servers and the victim, he said. Arbor Networks is able to determine the ebbs and flows of Web traffic by aggregating data provided by 250 Internet-service providers around the world.

DDoS attacks are becoming a problem for large institutions, including U.S. banks. Thus far, corporations have responded by using technologies from tech companies such as Akamai Technologies Inc., AKAM +0.23% Prolexic Technologies and others that help companies deflect unwanted traffic from their sites.

Those technologies can help keep sites functioning normally. In January, as attackers hammered bank sites with DDoS attacks, the availability rate of websites at U.S. financial institutions actually rose to 97.21% from 94.86% in the fall, when the first phase of the ongoing attacks was in full force, according to a report from BankInfoSecurity.com.

But there are limits to how effective defensive technologies can be. A spokesperson at Wells Fargo WFC -0.86% & Co. confirmed its banking websites were under attack Tuesday, but added that most of its customers weren’t affected. It didn’t explain how it deflected the attack.

Last Wednesday, Wells Fargo’s chief information security officer, Rich Baich, said companies need to think in advance about how so-called hacktivist groups, which use cyberattacks as tools of political or social protest, might respond to actions they takes at any point in time. Mr. Baich was speaking at the IT Security Entrepreneurs Forum at Stanford University. “It’s not just about nuisance, where a website was hacked, it’s about them holding you hostage by denying you use of the Internet,” he said.

He stressed that attackers can do more than take down websites: They can use viruses to physically destroy electronic devices, as was the case with personal computers at Saudi Arabian Oil Co.’s last August. “Now there’s a destructive angle,” Mr. Baich said.

Mike Smith, director of the customer-security incident response team at Akamai, says such attacks are possible because of improperly configured domain-name servers—the servers that correlate website addresses, such as wsj.com, into the numerical addresses used by servers.

According to Mr. Smith, “hosting providers, businesses, and people with a cloud server who set up their own DNS resolver” often neglect to configure their servers using proper security settings. He says there are groups that compile lists of servers that improperly configured and open to abuse.

The sudden pickup in targeted attacks against corporate websites has brought cybersecurity to the highest levels of attention. The rise of IT security “to a board level concern is maybe the fastest I’ve ever seen,” said Thomas Sanzone, senior vice president of consulting firm Booz Allen Hamilton Inc. BAH -0.53%

The attack against Spamhaus raises questions about what companies should do to protect themselves, and whether a proactive defense is appropriate.

Compared with governments, companies are limited in actions they can take to legally respond to cyberattacks. Michael Chertoff, the former secretary of homeland security, said diplomatic considerations make it difficult for the government to take action against suspected adversaries from other countries.

Mr. Chertoff, who worked at the Department of Homeland Security from 2005 to 2009 and now runs a security consulting firm, said the U.S., which formally launched its cyberdiplomacy campaign in 2009, is currently trying to figure out how to deter and retaliate against cyberattacks, many of which come from sovereign countries.

“There are a serious questions about what we can do to defend ourselves and how far we can go in what we call active defense, that are both legal and policy questions that have yet to be resolved,” said Mr. Chertoff in January.

Mr. Chertoff counseled companies to think long and hard about retaliating on their own, noting that they could end up crippling a server that controls hospital equipment, while also unwittingly hosting malware.

 

source – http://online.wsj.com

Millions of people may have been affected by an attack that caused disruption and a slowdown of the Internet, according to a not-for-profit anti-spam organization that blacklisted a Dutch Web-hosting company.

The interruptions came after Spamhaus, a spam-fighting group based in Geneva, temporarily added CyberBunker to a blacklist that is used by e-mail providers to weed out spam. The attacks work by trying to make a network unavailable to its intended users by overloading a server with coordinated requests to access it, according to security firm Kaspersky Lab.

Calling the disruptions “one of the largest computer attacks on the Internet,” the New York Times reported today that millions of Web users have experienced delays in services such as Netflix video-streaming service or couldn’t reach a certain website for a short time.

“The size of the attack hurt some very large networks and Internet exchange points such as the London Internet Exchange,” John Reid, a spokesman for Spamhaus, said in an e-mailed response to questions by Bloomberg News. “It could be thousands, it could be millions. Due to our global infrastructure, the attackers target places all over the world.”

Spamhaus was targeted with a so-called distributed denial of service attack on the evening of March 15, Reid said.

Dutch Bunker

The attackers pretended to be Spamhaus and bombarded the Internet’s Domain Name System with simultaneous requests for information, according to Michael Sutton, vice president of security research for Zscaler. The System thinks the requests are from Spamhaus and sends them back to its website, creating a wall of data so large that the site crashes, he said.

“This attack isn’t new but I’ve never seen it abused to this scale,” he said in an interview. A traditional denial-of- service attack floods a website with tens of thousands of requests a second, causing it to temporarily shut down.

CyberBunker, which was founded 1998 and is based in a military bunker near a Dutch town called Goes, offers Web- hosting services for all sites except child pornography and anything related to terrorism, according to its portal.

“The only thing we would like to say is that we do not, and never have, sent any spam,” Cyberbunker spokesman Jordan Robson said in an e-mail.

Such attacks are growing in quantity as well as scale, according to Vitaly Kamluk, chief malware expert of Kaspersky Lab’s global research and analysis team. The two main motives for the disruptions are money through cybercrime and political and social activism, he said.

“This is indeed the largest known DDoS operation,” Kamluk said by e-mail. “Such DDoS attack may affect regular users as well, with network slowdown or total unavailability of certain web resources as typical symptoms.”