Worldwide DDoS Attack

[The Atheist]

It's been going on for days now, aimed at financial institutions other than banks.

Banks went through this a few years back, but their systems can hold out against anything less than state-sponsored attacks, so the scammers have taken it down half a notch, aiming at NZX, PayPal, WorldPay and others: https://www.stuff.co.nz/business/in...lieved-to-be-demanding-huge-ransom-in-bitcoin

Mildly interesting to see no AliPay, although I haven't checked, so they may be in the mix somewhere.

It used to be that seeing the Fancy Bear group mentioned immediately points to Russia, but the scale looks a lot bigger than their past capabilities and they're more malicious state actors (DNC hack) than blackmailers.

Also, FB are very well known and don't carry ID, so like Anonymous, anyone who wants to be one, can be.

I was aware of the attack on NZX on Tuesday and thought maybe China was just sending a gentle reminder not to piss them off, but I don't see Chinese authorities either arranging or allowing this widespread kind of attack right now - the targets are politically pointless.

The size and co-ordination suggests an extremely well-resourced attack, so I'm looking at places with a little cashflow problem right now - North Korea, Iran, Syria - the usual suspects.

Feel free to post your ideas!

 

[Venom]

How do you guard against a DDoS attack?

What about my emails?

 

[PhantomWolf]

The size and co-ordination suggests an extremely well-resourced attack, so I'm looking at places with a little cashflow problem right now - North Korea, Iran, Syria - the usual suspects.

Feel free to post your ideas!

Not really, anyone can download a bot-net controller and have several million zombie bots at their command in a few minutes these days. You don't need to be a State Actor to launch this level of DDoS Attack, you just need to be a massive dick.

 

[PhantomWolf]

How do you guard against a DDoS attack?

What about my emails?

There are a number of ways. Most include a filter between the internet and the server that can determine if a connection request is genuine or part of a DDoS.

 

[The Atheist]

What about my emails?

Won't affect them in any way.

Not really, anyone can download a bot-net controller and have several million zombie bots at their command in a few minutes these days.

Very few people have access to the bandwidth for this level of attack. The scripts and bots are irrelevant - it's traffic, which requires enormous bandwidth.

You don't need to be a State Actor to launch this level of DDoS Attack, you just need to be a massive dick.

Being a dick has nothing to do with it, it's a ransom attack rather than vandalism. It's extremely well organised and at a massive scale. You cannot sit at home - or even anything like a normal office - and generate the amount of traffic involved.

It would be setting off alarms at even the largest isps.

 

[catsmate]

The size and co-ordination suggests an extremely well-resourced attack, so I'm looking at places with a little cashflow problem right now - North Korea, Iran, Syria - the usual suspects.

Feel free to post your ideas!

Bollocks. There is no evidence of state involvement. This is utter, ignorant, speculation with about as much credibility as the "Hezbollah is responsible for the Beirut AN blast" nonsense.

It's also gross exaggeration. I suggest you look at the June and July attack, which were far greater in scope.

How do you guard against a DDoS attack?

Planning and preparation.
Proper systems design with reviews.
Security and network services planning.
Good security practices in general.

Firewall filtering as part of a layered DoS defense.
Traffic analysis and automated, planned, responses to traffic inconsistencies.
Capacity planning with surge options.
Reduce your vulnerable surface area.

Generally widely distributed cloud services are superior at resisting such attacks. Many such hosting options include DoS mitigation but all provide better transit capacity.

DoS attacks can occur at different layers; IL attacks (layers 3/4) are more common but much more obvious and detectable. AL attacks (layers 6/7) are less common but are usually more sophisticated (no crude SYN packet storms) and targeted. So they need very different plans and mitigations.

What about my emails?

What hosting provider?

 

[The Atheist]

Bollocks. There is no evidence of state involvement.

There wouldn't be - the whole point is not to leave evidence.

Given the involvement of the GCSB - an unprecedented development - It's clearly a lot different to a normal DDoS attack, and exponentially larger than others so far. It's not able to be handled by NZ's largest isp, a state-of-the-art international player.

https://www.stuff.co.nz/business/in...nt-assists-in-helping-it-address-cyberattacks

 

[Manger Douse]

So that's why the little padlock has gone from the URL bar!

 

[theprestige]

How do you guard against a DDoS attack?

You don't. Your ISP and hosting providers do.

The canonical denial of service (DOS) attack is a flood of cheap packets of information. "Cheap" in the sense that they're small and easy to generate and transmit. But they still have to be handled by all the network devices between source and destination. Send enough of them, fast enough, and they'll find whatever the bottleneck is and block any more communication through that channel.

A distributed DOS (DDOS) attack refines the method by sending the packets from a number of different sources. This has the advantage that you can send a much larger flood without hitting a bottleneck on your end. Each of your sources only sends as much traffic as its source channels can handle. Together, they are (much) more traffic than the destination channel can handle.

The way to guard against it is via the links in your connection that can handle the flood. Obviously most of the connection links can handle the flood, otherwise the attack would never get close enough to the target to actually land. The ISP actually has enough bandwidth to pass the flood along to the bank.

So the ISP can protect the bank by proactively (and automatically) detecting that a flood is ramping up, and choosing to drop the offending packets instead of sending them along to the bottleneck.

 

[smartcooky]

Very few people have access to the bandwidth for this level of attack. The scripts and bots are irrelevant - it's traffic, which requires enormous bandwidth.

Sorry, I'm not understanding this. If you had downloaded a bot-net controller and had a truckload of zombie bots at your command to run this DDos attack, don't those bots operate on other people's computers, and therefore, use their bandwidth, not yours. Aren't these zombie bots autonomous?

 

[theprestige]

Sorry, I'm not understanding this. If you had downloaded a bot-net controller and had a truckload of zombie bots at your command to run this DDos attack, don't those bots operate on other people's computers, and therefore, use their bandwidth, not yours. Aren't these zombie bots autonomous?

Yeah, I think TA is forgetting about the "distributed" in "distributed denial of service".

 

[The Atheist]

Sorry, I'm not understanding this. If you had downloaded a bot-net controller and had a truckload of zombie bots at your command to run this DDos attack, don't those bots operate on other people's computers, and therefore, use their bandwidth, not yours. Aren't these zombie bots autonomous?

That used to be the case, but bot-nets in that format have declined thanks to better security systems and high mobile usage. Mobiles are restrictive because the speed gets scaled back quickly.

Something the size of a Russian troll farm would handle it, but they have more exciting things to do and don't need the money. That's why I'd be looking at NK, which is fairly well renowned for this type of behaviour and they're a bit short of cash.

https://thenextweb.com/hardfork/2019/08/06/north-korean-cryptocurrency-hackers-2-billion/

 

[The Atheist]

Bollocks. There is no evidence of state involvement. This is utter, ignorant, speculation with about as much credibility as the "Hezbollah is responsible for the Beirut AN blast" nonsense.

Just to re-visit this again, in light of new developments today:

Professor Dave Parry from AUT’s Department of Computer Science said: ”With GCSB involved this will almost certainly be involving other international agencies as well, which is the way to shut this down.”

“The Five Eyes will be very interested to see if there’s any long-term threat from the groups involved, whether it’s criminal gangs, or whether it includes government or pseudo-government groups,”

bolding mine

So nonsensical that the intelligence agencies of USA, Canada, Australia, UK and NZ are involved...

 

[PhantomWolf]

Very few people have access to the bandwidth for this level of attack. The scripts and bots are irrelevant - it's traffic, which requires enormous bandwidth.

Yeah, no it doesn't. As pointed out, the majority of DDoS attacks use the bots' bandwidth, not the attacker's.

Being a dick has nothing to do with it, it's a ransom attack rather than vandalism.

You seem to be under the impression that being a ransomer doesn't make you a dick.

It's extremely well organised and at a massive scale. You cannot sit at home - or even anything like a normal office - and generate the amount of traffic involved.

Again, you don't need to, that's the point of having a disturbed attack. It doesn't take a lot of resources on your end because you are using other people's computers and internet enabled devices, not your own.

It would be setting off alarms at even the largest isps.

Again you seem to be under a misunderstanding of how DDoS primarily works.

That used to be the case, but bot-nets in that format have declined thanks to better security systems and high mobile usage. Mobiles are restrictive because the speed gets scaled back quickly.

It still is the case, and if you think otherwise then you are fooling yourself. And really it has nothing to do with mobiles, there are still millions of infected PCs that can be zombie bot netted, they don't need to worry about mobiles. In fact bot nets are more like using your internet enabled security camera or washing machine than your mobile.

Something the size of a Russian troll farm would handle it, but they have more exciting things to do and don't need the money. That's why I'd be looking at NK, which is fairly well renowned for this type of behaviour and they're a bit short of cash.

You are still way to focused on a spoofing campaign from a single collective source. Those aren't the most common form of attack, the idea that you need to have major bandwidth and computer resources is just incorrect, and thinking you can tell good and bad data easily is also a major mistake. The competition between security experts trying to figure out a way to detect bad actor requests from legitimate ones, and the Bad Actors coming up with new ways to make their traffic look legitimate is very much an ongoing battle, with no real winner in sight yet. All forms of DDoS protection can be broken by a determined enough hacker, which is why we still have DDoS attacks.

For those that want a shallow lesson in DDoS, Wiki's page has the basics

Here are some others...

Security Essentials article, July 2020

Cloudflare Article

eSecturityPlanet Article

Imperva Article

Norton Article

Security Magazine article, May 2020

PentaSecurity article, July 2020

UK National CyberSecurity Center article

 

[PhantomWolf]

Just to re-visit this again, in light of new developments today:

bolding mine

So nonsensical that the intelligence agencies of USA, Canada, Australia, UK and NZ are involved...

You do realise that just because they are investigating who is behind it and are considering if it might be a government or pseudo-government, that doesn't mean it has to be a government or pseudo-government, right? They also noted they were considering if it was organised crime that was behind it. For all we know it might end up being a 15-year old kid in Belarus who got bored and decided to create havoc.

The reason that the likes of the GSCB are being brought in is because it's a major attack across multiple countries and DDoS attacks are extremely difficult to trace, but groups like the GCSB have the tech to try and do it.

 

[The Atheist]

Again you seem to be under a misunderstanding of how DDoS primarily works.

No, you're just not reading what I've written.

You do realise that just because they are investigating who is behind it and are considering if it might be a government or pseudo-government, that doesn't mean it has to be a government or pseudo-government, right?

If you read what I actually wrote for a change, I didn't say it was.

For all we know it might end up being a 15-year old kid in Belarus who got bored and decided to create havoc.

I'd have that at 1000:1.

 

[PhantomWolf]

No, you're just not reading what I've written.

I read exactly what you said, that it would require a lot of bandwidth for the attacker and that an ISP would detect that. This is just wrong.

If you read what I actually wrote for a change, I didn't say it was.

No, you just made it very clear that you believe it is based on very little evidence. That's not skeptical. It might be right, but you are jumping to conclusions.

I'd have that at 1000:1.

Those are probably low odds, but my point was not that it will be, but rather that at this point in time we can't yet rule it out. We don't know if it's a single script kiddie who is doing it for fun, someone that is disgruntled with the financial systems under attack, someone that is trying to hack into and steal from one or more of the financial systems under attack, a group of anarchist hackers trying to take down the financial systems, an organised crime syndicate who is trying to ransom those being attacked, or a state actor trying to either get money or just test their ability to cause chaos within the global financial systems. At the moment we just don't know, so guessing is exactly that, guessing.

 

[The Atheist]

... based on very little evidence...

I'll just sit on the evidence of five intelligence agencies being involved to say it was an unusually sophisticated and large attack.

Whether we ever know who it was, I don't know, but I'd bet on probably not.

 

[RedStapler]

Very few people have access to the bandwidth for this level of attack. The scripts and bots are irrelevant - it's traffic, which requires enormous bandwidth.

Completely wrong. Please inform yourself properly before trying to display yourself as in IT expert.

 

[The Atheist]

Completely wrong.

Yeah, right.

The GCSB always get involved in DDoS attacks.

... before trying to display yourself as in IT expert.

Cute little strawman you've got there mate - is there a special on? I'll gladly help you burn it, though.

If you have a look, I haven't anywhere mentioned any IT credentials.

I've seen an interesting story developing and suspect something more than a home- or script-kiddie-based DDoS attack. This seems to be borne out by the fact that NZ's by far largest isp has had to seek government intelligence level support; something they haven't needed to do in attacks on trading banks, the TAB and government institutions in the past.

But feel free to ignore the inconvenient facts involved.