How a website flaw turned 22,000 visitors into a botnet of DDoS zombies

Posted by Tyler Van Fossen on April 10, 2014 in DDOS Protection

Blog Image 5
An new type of DDoS attacks was recently deployed against a popular video site, using hidden iframes activated by viewing a user’s image in the comment section of the page. Using advanced XSS vulnerability, the longer the video was played and the more users viewing the video, the longer the attack was sustained. Following the amplified attacks demonstrated in the previous months, are we looking at a new age of larger and more
By Dan Goodin
Researchers have uncovered a recent denial-of-service attack that employed an unusual, if not unprecedented, technique to surreptitiously cause thousands of everyday Internet users to bombard the target with a massive amount of junk traffic.

The attack worked by exploiting a Web application vulnerability on one of the biggest and most popular video sites on the Web, according to a blog post published recently by researchers at security firm Incapsula, which declined to identify the site by name. Malicious JavaScript embedded inside the image icons of accounts created by the attackers caused anyone viewing the users’ posts to run attack code that instructed their browser to send one Web request per second to the DoS victim. In all, the technique caused 22,000 ordinary Web users to unwittingly flood the target with 20 million GET requests.

“Obviously one request per second is not a lot,” Incapsula researchers Ronen Atias and Ofer Gayer wrote. “However, when dealing with video content of 10, 20, and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.”

The novel attack was made possible by the presence of a persistent cross-site scripting (XSS) vulnerability in the video site, which Incapsula didn’t identify except to say it fell in the Alexa top 50 list. XSS exploits effectively allow attackers to store malicious JavaScript on a website that gets invoked each time someone visits. The booby-trapped user icons contained an iframe tag that pulled malicious instructions off an attacker-controlled command and control server. The malicious instructions caused browsers to surreptitiously flood the DDoS target with an unusually high number of GET requests. Incapsula was able to mitigate the effects of the attack using a combination of progressive challenges and behavior-based security algorithms.

Remember the Samy Worm?

The attack is only the latest to harness the tremendous power of XSS vulnerabilities. The technique came into vogue in 2005 with the advent of the Samy worm. Named after its creator, a hacker named Samy Kamkar, the XSS exploit knocked MySpace out of commission for a day by forcing anyone who viewed his profile to become a MySpace friend. In less than 24 hours, Kamkar, who later served time in jail for the stunt, gained more than one million followers.

“The nature and beauty of persistent XSS is that the attacker doesn’t need to target specific users,” Matt Johansen, senior manager of Whitehat Security’s threat research center, told Ars. “The malicious JavaScript is stored on the website and replayed to anybody who visits this in the future. This particular JavaScript forced each browser that was running it to make a request in one-second intervals.”

Last year, Johansen and other colleagues from Whitehat Security demonstrated a proof-of-concept ad network that created a browser-based botnet using a technique that’s similar to the one Incapsula observed exploiting the XSS weakness.

“The delivery mechanism [in the Incapsula-observed attack] was different as it was from persistent XSS in the site instead of an ad network,” Johansen explained. “The only difference there was how the malicious JavaScript was rendered in the user’s (bot’s) browser. The code that is quoted in the [Incapsula] article is using a very similar technique to the code we wrote for our talk. Instead of using (image) tags like we did, this attacker is using tags which then make one request per second. We were just loading as many images as possible in the time our JavaScript was running.”

Incapsula’s discovery comes three months after criminals were observed using another novel technique to drastically amplify the volume of DDoS attacks on online game services and other websites. Rather than directly flooding the targeted services with torrents of data, an attack group sent much smaller sized data requests to time-synchronization servers running the Network Time Protocol. By manipulating the requests to make them appear as if they originated from one of the gaming sites, the attackers were able to vastly increase the firepower at their disposal. The technique abusing the Network Time Protocol can result in as much as a 58-fold increase or more. Miscreants have long exploited unsecured domain name system servers available online to similarly amplify the amount of junk traffic available in DDoS attacks.

Incapsula’s finding underscores the constantly evolving nature of online attacks. It also demonstrates how a single weakness on one party’s website can have powerful consequences for the Internet at large, even for those who don’t visit or otherwise interact with the buggy application.

Read the original posting here.

GigeNET Now Offers Provider-Level DDoS Protection

Posted by Tyler Van Fossen on April 04, 2014 in Press Releases

Using proprietary algorithms and hardware configurations, GigeNET’s newest DDoS solution offers protection for entire networks and not just servers.
Chicago, IL (PRWEB) March 31, 2014
GigeNET, widely recognized as an innovator in Distributed Denial of Service (DDoS) security, is headquartered just outside of Chicago, where it owns and operates a world-class, 17,000 square-foot datacenter. The company announced today that its latest DDoS protection solution is designed to meet the needs of Internet service providers by protecting their entire network from costly DDoS attacks.

Distributed Denial of Service (DDoS) attacks use hijacked and virus-infected computers to make online services unavailable by overwhelming websites or networks with so many requests that they load very slowly or shut down completely.

However, DDoS attacks are not limited to websites and servers as datacenters are also being targeted. According to a recent study by the Ponemon Institute, released in December, DDoS attacks have become one of the most common triggers of datacenter outages.

Read More

162,000 Vulnerable WordPress Websites Abused to Perform DDoS Attack

Posted by Tyler Van Fossen on March 18, 2014 in DDOS Protection, Development, Web Security
Comments Off

Blog Image 4
The open source blog and CMS (content management system) tool WordPress has gained a large market share for new websites over the past few years. Its ability to manage information and ease of use have made it quicker for people with less advanced technical skills to put together high quality websites. Unfortunately, the wide adoption of WordPress has also led to an outbreak of DDoS attacks facilitated by an exploit discovered in the system. With no WordPress supported update to eliminate this loophole, what are you doing to protect your WordPress website?
By Sudhir K Bansal
DDoS attacks are a growing issue facing by governments and businesses. In a recent attack, thousands of legitimate WordPress websites have been hijacked by hackers, without the need for them to be compromised. Instead, the attackers took advantage of an existing WordPress vulnerability (CVE-2013-0235) – “Pingback Denial of Service possibility”.

According to security company Sucuri, in a recent amplification attack more than 162,000 legitimate WordPress sites were abused to launch a large-scale distributed denial-of-service (DDoS) attack.

The attack exploited an issue with the XML-RPC (XML remote procedure call) of the WordPress, use to provide services such as Pingbacks, trackbacks, which allows anyone to initiate a request from WordPress to an arbitrary site.

Read More

GigeNET Takes Cloud Security to the Next Level with its New Automated DDoS Protection Solution

Posted by Tyler Van Fossen on February 28, 2014 in Uncategorized
Comments Off

Using groundbreaking algorithms and exclusive hardware configurations, GigeNET offers automated DDoS monitoring and mitigation for cloud servers that come under attack.

GigeNET renowned as a pioneer and leader in the detection and protection from distributed denial of service (DDoS) attacks, as well as managed hosting services, is headquartered just outside of Chicago, where it owns and operates a world-class 17,000 square foot datacenter. GigeNET also has a facility in Los Angeles and its East Coast expansion is underway.

Its latest innovation, detects malicious traffic in the cloud environment, and reroutes it through its new scrubbing center, allowing valid traffic to pass through uninterrupted. The introduction of Automated DDoS Protection expands GigeNET’s distributed denial of Service protection suite, which also includes ProxyShield, its proprietary enterprise-class reverse proxy protection.

“Cloud servers offer businesses many advantages including on-demand scalability, pay-as-you-go flexibility and no in-house maintenance costs. While these benefits offer operational efficiency, businesses also need reliability,” said Ameen Pishdadi, President and CTO of GigeNET. “Offering our always-on Automated DDoS protection solution gives businesses the peace of mind of knowing their site is monitored d 24×7 and mitigation is automatically enabled in the event of a DDoS attack.”

Automated DDoS Protection enables GigeNET to provide DDoS monitoring and mitigation on cloud servers for new and existing clients. Setting up this service takes just minutes, and there is no need to change your IP address.

In response to the rapid growth in the number and size of DDoS attacks, GigeNET recently enhanced and fortified its high capacity network by completing the initial build out and installation of its own dark fiber ring. Using dark fiber allows GigeNET to increase its data center capacity by almost 100 times while strengthening its reliability and security.

About GigeNET

GigeNET is a full-service managed hosting provider offering dedicated, cloud, hybrid, and colocation hosting solutions, as well as state-of-the-art DDoS protection. GigeNET is headquartered just outside of Chicago, Illinois where it owns and operates a 17,000 sq. ft. enterprise-class private data center that allows GigeNET to offer clients high performance with superior security at affordable prices. GigeNET also offers their wide range of services in their newly expanded Los Angeles, CA data center with plans to open an East Coast location shortly.

GigeNET has been a pioneer since their inception in the 90’s and continues to push the boundaries of what’s possible, developing new technologies and trailblazing products for their clients including ProxyShield®, the industry’s leading DDoS mitigation system.

Visit to learn more.

To see the original press release, click here.

Snapchat Flaw Lets Attackers DDoS Your Phone

Posted by Tyler Van Fossen on February 25, 2014 in Uncategorized
Comments Off

Blog Image 3

With the spread of mobile communications platforms now entering the market, security of your personal data should be at the forefront of each of their respective designs. Snapchat, who already has a disappointing record of keeping user’s private information under wraps, now faces another serious threat.

Usually reserved for attacking servers and taking down networks, hackers have now exploited a hole in the code of the popular image sharing app to effectively DDoS attack mobile phones. By flooding the phones with spam images and requests, the phone becomes unresponsive, forcing a shutdown to regain functionality.

What does this mean for the future of mobile communications? Should Snapchat be held accountable for the weaknesses in their programming?

Read More

GigeNET Answers Chicago’s Bandwidth Surge with the ADVA FSP 3000

Posted by Tyler Van Fossen on February 12, 2014 in Bandwidth
Comments Off

Move from Managed Service Model to Own Infrastructure Ensures Rapid Response to Fierce Customer Growth
Chicago, Illinois, USA. March 4, 2014. ADVA Optical Networking announced today that GigeNET has deployed the ADVA FSP 3000 to answer dramatic Bandwidth growth. Connecting three locations within the Chicago area, the ADVA FSP 3000 enables GigeNET to rapidly respond to customer demand in the most efficient and scalable way possible. The key to this success is GigeNET’s development of its own network infrastructure. Moving from a managed service model to a privately-owned infrastructure ensures GigeNET can scale its network and its business in a cost-efficient and customer-driven manner. Deployed in a redundant ring topology, the ADVA FSP 3000 will play a vital role in helping GigeNET to maintain its 100% uptime guarantee and rapid service provisioning.

“Our customers are the driving force behind every decision we make. Every day we’re listening to what they need, what they want,” said Ameen Pishdadi, President and CTO, GigeNET. “This is why we decided to build our own network infrastructure and why we decided to work with the team at ADVA Optical Networking. They share our same customer focus, our same dedication to going beyond expectations to deliver something truly exceptional. With our new network, we have the best possible opportunity to help our customers succeed and to help them drive their business forward. The ADVA FSP 3000 is critical to our success here. It enables us to quickly deploy new services and meet any bandwidth demand – today and tomorrow.”

One of the principal reasons for the selection of the ADVA FSP 3000 is its reputation in the data center environment. Deployed in over 15,000 enterprises across the globe, the ADVA FSP 3000 has been refined over many years. Its low power consumption, small footprint and rapid scalability ensure it meets the most stringent of network requirements. GigeNET’s selection here goes beyond technology though. GigeNET is enrolled in ADVA Optical Networking’s training program and receives personal tuition in the company’s Atlanta campus. GigeNET also subscribes to ADVA Optical Networking’s Bronze maintenance package, ensuring rapid response to any network issues or concerns. Such maintenance coverage is vital for GigeNET customers that require the most stringent service level agreements.

“Technology can only take you so far, can only deliver so much. It’s the people that make the real difference; it’s the team that sets you apart,” commented John Scherzinger, senior vice president, North America Sales, ADVA Optical Networking. “GigeNET understands this. They understand how critical strong customer attention is. This focus has directed our approach to this project. Our teams have worked together to ensure that GigeNET could meet every customer expectation, could meet their 100% uptime promise. Shifting from a managed service to your own private infrastructure is no small task, but this shift will enable GigeNET to quickly scale its business, to rapidly meet any customer demands. Ultimately it’s this customer focus that GigeNET is all about.”

Read More

Coca-Cola Suffers Data Breach After Employee ‘Borrows’ 55 Laptops

Posted by Tyler Van Fossen on January 28, 2014 in Uncategorized
Comments Off

Blog Image 2
After an employee asked to ‘borrow’ 55 laptops over several years, Coca-Cola realized that there was personal data tied to several thousand employees and close relations.
By: John E. Dunn

Coca-Cola has admitted falling prey to bizarre slow-motion data breach in which an employee apparently stole dozens of laptops over several years containing the sensitive data of 74,000 people without anyone noticing.

The unnamed former worker, said to have been in charge of equipment disposal, reportedly removed a total of 55 laptops over a six-year period from its Atlanta offices, including some that belonged to a bottling company acquired by the fizzy-drinks giant in 2010.

Only after recovering these during November and December did Coca-Cola realise that they contained 18,000 personal records that included social security numbers plus a further 56,000 covering other types of sensitive data. All but a few thousand were Coca-Cola employees or otherwise connected to the firm.

Read More

Target hackers have more data than they can sell

Posted by Tyler Van Fossen on January 15, 2014 in Uncategorized
Comments Off

HackersTooMuchData Banner

Those cyber criminals who stole the data appear to be keeping a low profile on underground forums. Understanding how the black market works reveals that the information is now of little monetary value.

By: Jeremy Kirk

What’s the downside to successfully stealing 40 million credit card numbers from Target? Trying to sell the data.

There’s a thriving economy among cyber criminals, some of whom specialize in stealing credit card numbers to others who figure out a way to profit. But it’s also constrained by supply and demand.

Read More

GigeNET Announces Automated DDoS Protection a New Solution Designed to Monitor and Protect Servers from Distributed Denial of Service Attacks

Posted by Tyler Van Fossen on December 20, 2013 in Uncategorized
Comments Off

GigeNET’s Automated DDoS Protection solution offers 24×7 DDoS attack monitoring and automated mitigation response for dedicated servers that come under an attack.

GigeNET, broadly recognized as a pioneer and leader in Distributed Denial of Service (DDoS) security, is headquartered just outside of Chicago, where it owns and operates a state-of-the-art 17,000 square foot datacenter. Its latest DDoS solution uses sophisticated algorithms and proprietary hardware to monitor and detect malicious traffic, and reroute it through its new scrubbing center, while allowing legitimate traffic to pass
through uninterrupted. The introduction of GigeNET’s Automated DDoS Protection and Monitoring further extends GigeNET’s DDoS protection suite, which also includes GigeNET’s DDoS Protection ProxyShield its enterprise-class reverse proxy protection.

If your business continuity plan doesn’t cover potential DDoS attacks, you may be putting your company at risk. According to many recent studies, the size, speed and complexity of attacks are becoming more devastating in terms of cost, and reputational risk. “DDoS attacks are no longer a question of if but when,” said Ameen Pishdadi, President and CTO of GigeNET.

Read More

^ Back to Top