Domain Name Server (DNS) Amplification Attacks

Reblogged from IS&T Security FYI:

According to a recent report by US-CERT, Domain Name Server (DNS) amplification attacks are on the rise. DNS amplification is a type of distributed denial of service (DDoS) attack that relies on the use of open recursive DNS servers to overwhelm a target system with misdirected DNS response traffic.

The basic attack technique is fairly simple. An attacker sends a DNS name lookup request to an open recursive DNS server with the source address spoofed to the DDoS target’s address.

DarkReading throws more light on the DDOS amplification attacks and discusses on what needs to be done. First and foremost, an enterprise needs to engage services that protect them even before the threat reaches them. Second, have a plan for what to do when you are under attack. Lastly, make sure that you are not unwittingly participating in these attacks.

Attacks on US Financial Institutions Continue

A group claiming responsibility for a recent distributed denial-of-service (DDoS) attack against the American Express website is the same one that has been targeting US financial institutions since September 2012. While the primary focus of the group’s efforts appears to be crippling the banks’ websites, there is concern

that the attacks could provide a cover for fraudulent transactions.

On March 28, American Express’ website went offline for at least two hours during a distributed denial of service attack. A group calling itself “the cyber-fighters of Izz ad-Din al-Qassam” claimed responsibility for the attack, which began at about 3:00pm Eastern Time. In a statement, an American Express spokesperson said, “Our site experienced a distributed-denial-of-service (DDoS) attack for about two hours on Thursday afternoon…”

The American Express DDoS is part of a new wave of attacks started two weeks ago by the Izz ad-Din al-Qassam group, which launched a larger campaign targeting US financial institutions that began last September. The group’s alleged goal is to force the take-down of an offensive YouTube video—or extract an ongoing price from American banks as long as the video stays up, which could be indefinitely.

Ars Technica reports that these attacks are also part of a larger trend of disruptive and destructive attacks on financial institutions by apparently politically motivated groups, the most damaging of which was the attack on South Korean banks and other companies last week.

Band of the Hand

Named after a Muslim cleric who led The Black Hand, an anti-British and anti-Zionist jihadist organization in the 1920s and 1930s, and sharing a name with the military wing of Hamas (which the group’s statements claim it is tied to), Izz ad-Din al-Qassam has taken credit for a variety of attacks on US financial institutions over the past year, all allegedly in protest against the posting of trailers for the film The Innocence of Muslims on YouTube. Until the film is removed, the group said it would target “properties of American-Zionist Capitalists…This attack will continue till the Erasing of that nasty movie.”

So far, there have been three distinct phases of the group’s attacks. Dan Holden, director of Arbor Networks’ Security Engineering & Response Team, told Ars in a phone interview that the previous two waves lasted between three and four weeks, with the group then taking a break—likely to do the work required to maintain their botnet of compromised servers and add to it as their existing bots are discovered and disabled.

A well-funded attack

Still, Holden said that it’s unlikely that criminals are “coat-tailing” on the Izz ad-Din al-Qassam group’s attacks just yet. But even if the group behind the attacks isn’t profiting from them, Holden said it’s clear that there are very real investments being made in their activities—maybe not in servers or hard assets, but in the form of countless hours of maintenance of the botnet by finding new servers to exploit, and further development of attacks.

“Regardless of who’s behind this,” Holden said, “it has to be funded at some level. Even if it’s hacktivists, it’s got to be funded hacktivism.” That, he says, is because of both the amount of time dedicated to the attack, and to its ongoing refinement. “It’s not that these are the most sophisticated things in the world,” he explained, “but it has been getting more sophisticated, and it’s growing.”

Simple lesson, we have not learned!!

Why these financial institutions have not invested enough money in security? Why not build a BIGGER firewall? Security preparedness is always relative and not absolute. Else, you need to wait till the adversary stops the attacks !!