Tag Archives: DDoS

Internet’s time servers secured in “worldwide effort”

The BBC is reporting a “worldwide effort” to strengthen “time servers” (computers that keep the time on the internet) as a way of thwarting hack attacks. It reports that there has been an “explosion” in the last few months of the number of attacks targeting these special servers. The story was first broken by security company Arbor.

Criminals used the time servers (also known as NTP servers) in a series of DDoS attacks. DDoS attacks aim to knock out a targeted network by flooding its servers with huge amounts of data. Roughly 93% of all vulnerable servers are now thought to be secure against this type of attacks.

The inspiration for this tightening in security came from an attack on the online game League of Legends, which was performed by Derp Trolling, who have attacked many other online gaming platforms in a similar manner.

The League of Legends gaming site (and others like it) were attacked by exploiting a weakness in older forms of the software that underpins the network transfer protocol (NTP). This type of attack is called an NTP reflection attack, which uses a spoofed IP address (mimicking the targets IP address) to overload it with responses from multiple NTP servers. This rush of data to the target server, or servers, causes them to crash.

The Network Time Foundation, which helped to coordinate the security measures, estimated that 1.6 million machines were at risk to reflection attacks. Work to reduce this number began early this year.

Despite 93% of servers now being more secure, an estimated 97,000 are thought to be open to abuse. Arbor estimates that it would take 5,000-7,000 NTP servers to mount an overwhelming attack, leaving plenty of room for hackers to manoeuvre.

The “explosion” in the number of attacks in recent months has been caused by copy cat hacking groups using the same methods as Derp Trolling. This has led to a spike in malicious network activity, hence why the internet community has responded with such a wide ranging strategy.

Bitcoin exchange halts withdrawals after cyber-attack

BitStamp, one of the world’s largest and most commonly used Bitcoin exchanges has temporarily halted withdrawals after its exchange system came under attack.

The exchange firm, based in Slovenia, said criminals had used a vulnerability in the underlying Bitcoin software to perform the attacks. The Bitcoin Foundation, who maintain the code on which the software is based, have been trying to find a work around as well as fixes for the issue. They added that as this was a DDoS (distributed denial of service) attack no theft of Bitcoins had taken place, but that funds were “tied up” in the affected exchanges for now.

Bitstamp are now the second big Bitcoin exchange to come under DDoS attack in under a week, with Tokyo’s MtGox being the first last Friday.

A third exchange, BTC-e has also warned that transactions would be delayed due to another DDoS attack.

The cause of the problem stems from a weakness in the Bitcoin code known as transaction malleability. This malleability allows somebody to alter the code of Bitcoin just before a particular transaction is logged. This in turn allows a withdrawal to be made multiple times without the “blockchain” (the database Bitcoin uses to record every transaction carried out) noticing, opening the door to theft of Bitcoins.

The actual DDoS attack, according to Gavin Andersen of the Bitcoin foundation, comes when an exchange firm’s systems can’t cope with vast amounts of these fraudulent transactions. Mr Andersen pointed towards the design of MtGox and Bitstamp’s systems not being up to scratch, adding that the transaction malleability issue had been known about since 2011.

Unfortunately, despite Bitcoin trying to distance themselves from the fallout of this issue, this is more unwanted publicity, after the arrests of Charlie Shrem and Robert Faiella, in the US. Shrem and Faiella worked together to exchange over $1 million in Bitcoins to users of the Silk Road. The Silk Road, which has been shut down since October 2013, was an illegal trading place of illicit materials, such as illegal drugs and weapons. Bitcoin was the only accepted currency on the Silk Road.

Stock prices of Bitcoin fell as a result of this news from $830 to $665, a drop of nearly 20%. Prices also fell after the arrests of Shrem and Faiella, so this latest hiccup is something that Bitcoin could have done without. However, that does not stop the meteoric rise of virtual currencies, in particular Bitcoin, over the last 12 months or so. Less than two years ago, in July 2012, Bitcoin’s value was at just $9, which itself was a revelation at the time.

On this basis, it would be a safe assumption that Bitcoin might not be too worried about this latest incident.

 

Spamhaus DDoS orchestrator arrested in Spain

A man was arrested last week in Barcelona, in what is thought to be part of an investigation into the DDoS attack on Spamhaus in March of this year. The man, rumoured to be Sven Kamphuis, is the owner of Dutch hosting firm CyberBunker, who had already been implicated in the attack which began on March 19th and was on going for over a week.

It is reported that the attack started because Spamhaus, who publish a blacklist on internet spammers, added CyberBunker to their blacklist. CyberBunker, who claim to host websites for anyone excluding “child porn and anything related to terrorism”, retaliated by focusing a DDoS (distributed denial of service) attack on Spamhaus.

A DDoS attack aims to take a target machine or entire network offline by flooding its internet connection with useless data, so much so that the network becomes unable to function. These attacks are intended to render their target, often a website, completely unusable, and leave users unable to access the website’s features for a short period of time. In most cases, an average DDoS attack will send anything between 4 Gbps or 10 Gbps of data, the attack on Spamhaus began at 10 Gbps and peaked at 300 Gbps, a staggeringly high number, the likes of which have never been seen before in this type of attack. Typical DDoS attacks are also much shorter than the Spamhaus attack, which carried on for over a week.

Also involved in the attack were internet security firm CloudFlare, who were brought in by Spamhaus to defend against the attacks. When CyberBunker got wind of their involvement, they also made CloudFlare a target in the overall attack. The head of CloudFlare, Matthew Prince, eluded to the far-reaching consequences of the attack, which was reported to have slowed down internet speeds globally; ”We haven’t seen anything larger than this publicly. Its hard to get an attack this large, because what you end up doing is congesting [portions of the Internet].” Dan Holden, director of another security firm Arbor Networks, said the magnitude of the attacks makes it likely that they will have caused damage far beyond the intended target.

Kamphuis was arrested in Barcelona on the request of the Dutch public prosecutor. It has been revealed that he was known to be in Spain around the time that the Spamhaus attack was launched, however he was not caught until last week. When arrested, Kamphuis was believed to be operating out of a van, which he was using as a mobile office. The house he was staying at the time was searched, and hardware such as “computers, phones and hard drives” were seized. The content of these devices will undoubtedly be instrumental in his prosecution, once he is deported back to the Netherlands.

Previous famous DDoS attacks include those on Playstation Network in 2011, and HSBC last year.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal