Krebs pinpoints the likely author of the Mirai botnet

The full story is admittedly lengthy, clocking in at over 8000 words, but worth the time to understand how botnet wranglers make money siccing their zombie device armies on unsuspecting targets. The sources that pointed Krebs to Anna Senpai’s identity were involved in using botnets on behalf of shadowy clients, unleashing them on security companies protecting lucrative Minecraft servers that host thousands of players. When their online gaming is obstructed — say, by repeated and annoying DDoS attacks — players leave, giving servers an incentive to jump ship to whichever security provider can ensure protection…in this case, providers that arranged for the botnet attacks in the first place.

Source: Krebs pinpoints the likely author of the Mirai botnet

Don’t Be Fodder for China’s ‘Great Cannon’

“It only intercepts traffic to a certain set of Internet addresses, and then only looks for specific script requests. About 98 percent of the time it sends the Web request straight on to Baidu, but about two percent of the time it says, ‘Okay, I’m going to drop the request going to Baidu,’ and instead it directly provides the malicious reply, replying with a bit of Javascript which causes the user’s browser to participate in a DOS attack, Weaver said.

via Don’t Be Fodder for China’s ‘Great Cannon’ — Krebs on Security.

Interestingly, this type of attack is not unprecedented. According to documents leaked by National Security Agency whistleblower Edward Snowden, the NSA and British intelligence services used a system dubbed “QUANTUM” to inject content and modify Web results for individual targets that appeared to be coming from a pre-selected range of Internet addresses.

World’s largest DDoS strikes US, Europe

The Network Time Protocol (NTP) Reflection attack exploits a timing mechanism that underpins a way the internet works to greatly amplify the power of what would otherwise be a small and ineffective assault.

via World’s largest DDoS strikes US, Europe – Security – Technology – News – iTnews.com.au.

The OpenNTPProject can help administrators determine if their servers are vulnerable.

Bitcoin Thefts Surge, DDoS Hackers Take Millions

Bitcoin users have echoed that suggestion. “One note of warning: don’t trust any online wallet,” read a comment on a recent Guardian feature. “The two biggest ones have already been robbed. Use your own wallet on your own computer and back it up on a USB stick.”

“Remember, you don’t have to keep your Bitcoins online with someone else: you can store your Bitcoins yourself, encrypted and offline,” said Ducklin at Sophos.

via Bitcoin Thefts Surge, DDoS Hackers Take Millions – InformationWeek.

That Internet War Apocalypse Is a Lie

CloudFlare CEO Matthew Prince tells a harrowing story of warding off the internet attack after Spamhaus hired him—which is certainly true—but warns us of existential threats to the net still lurking out there, like lost Soviet nukes:

via That Internet War Apocalypse Is a Lie.

This would be so terrifying if it weren’t advertising. Prince, of course, is in the business of selling protection against online attacks. And his company is, as far as I can tell, pretty good at this business. But he’s also clearly in the business of scaring people: in his blog post today, he warns that the Spamhaus attack “may prove to be relatively modest” compared to what comes next. Bigger nukes, I suppose.

Here’s an another excerpt on the latest DDoS kerfuffle that made a lot of news recently.

So what’s the answer? Short of shutting down all 27 million resolvers, the Open DNS Resolver Project and others such as DNS service providers Afilias recommend the implementation of source address validation. An IETF RFC, BCP-38, exists that spells out how to use source address validation and build such an architecture to defeat IP source address spoofing.

via Open DNS Resolvers Center Stage in Massive DDoS Attacks | threatpost.

According to the article one component to implementing this requires cooperation from ISPs who may not see this as a priority.

Amazon.com website briefly offline, hackers claim credit

The group went on detail how it knocked the front door down (only Amazon.com’s front page was offline), with a large “botnet” or network of thousands of computers working together.

via Amazon.com website briefly offline, hackers claim credit | Fox News.

Interesting.  Looks like a distributed denial of service (DDOS) on the grand daddy of the data center and cloud computing industry.  Amazon was down for only 49 minutes.  It will be interesting to hear the inside baseball techie talk as to how this happened and how Amazon recovered.

TCP may keep its offered receive window closed indefinitely RFC 1122

Part of the Transmission Control Protocol TCP specification RFC 1122 allows a receiver to advertise a zero byte window, instructing the sender to maintain the connection but not send additional TCP payload data. The sender should then probe the receiver to check if the receiver is ready to accept data. Narrow interpretation of this part of the specification can create a denial-of-service vulnerability. By advertising a zero receive window and acknowledging probes, a malicious receiver can cause a sender to consume resources TCP state, buffers, and application memory, preventing the targeted service or system from handling legitimate connections.

via US-CERT Vulnerability Note VU#723308 – TCP may keep its offered receive window closed indefinitely RFC 1122.